Re: SFTP using expect script (41 Views)
Reply
Regular Advisor
Dewa Negara_4
Posts: 194
Registered: ‎04-14-2003
Message 1 of 10 (41 Views)
Accepted Solution

SFTP using expect script

Hi All,

I am running SFTP using expect script below :

#!/usr/local/bin/expect
spawn sftp -b batchFile @
expect "password:"
send "\n";
interact

Is there any way how to prevent from hard-code the password in the script? Can we hidden the password? I just want to mitigate the security risk for the script.

Pls help. High score will be given.

Thanks and Best Regards,
Negara

Santos
Please use plain text.
Honored Contributor
harry d brown jr
Posts: 8,418
Registered: ‎12-12-2000
Message 2 of 10 (41 Views)

Re: SFTP using expect script


Make the script only readable and executable by root (chmod 500 scriptname) or write a C program that creates the script on the fly and then executes it, or write the program in perl and then compile (perlcc) it. You will have to make sure you don't put the passwd in a contiguous string.

live free or die
harry
Live Free or Die
Please use plain text.
Honored Contributor
Geoff Wild
Posts: 7,168
Registered: ‎06-04-2001
Message 3 of 10 (41 Views)

Re: SFTP using expect script

That's the downside of sftp with expect - you need to hard code it.

Now, what you can do, is setup certificates between the sites.

Rgds...Geoff



Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Please use plain text.
Regular Advisor
Dewa Negara_4
Posts: 194
Registered: ‎04-14-2003
Message 4 of 10 (41 Views)

Re: SFTP using expect script

Hi Geoff / Harry,

Thanks.

Will the crtificate be able to avoid hard-coded passord?

What is the steps do configure the certificate? Sorry because this is really new for me.

Thanks.
Negara
Santos
Please use plain text.
Honored Contributor
Sridhar Bhaskarla
Posts: 6,350
Registered: ‎08-15-2001
Message 5 of 10 (41 Views)

Re: SFTP using expect script

Hi Negara,

I believe Geoff meant public/private key authentication. All your problems will be simply vanished if you follow that procedures. Check one of your old threads and you will find the procedures posted by myself and others.

Also, look at the other thread where you mentioned about sftp working with .shosts/.rhosts. I asked you to override PreferredAuthentications options using the command line. I believe you are almost there.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Please use plain text.
Regular Advisor
Dewa Negara_4
Posts: 194
Registered: ‎04-14-2003
Message 6 of 10 (41 Views)

Re: SFTP using expect script

Hi Sridhar,

Thanks. I got a new problem now. The remote server belongs to other company. So we not eligible to suggest them to modify their sshd_config. I have talked to my boss and he agreed to use expect script. But it will be better if the hard-coded password can be prevented. So I am trying to find how can we avoid the hard-coded password in the script.

Thanks for your help Sridhar.

Best Regards,
Negara
Santos
Please use plain text.
Honored Contributor
Sridhar Bhaskarla
Posts: 6,350
Registered: ‎08-15-2001
Message 7 of 10 (41 Views)

Re: SFTP using expect script

Hi Negara,

You don't really have much choice other than what Harry already gave you if you are planning to use expect.

If you have to run it some user, then make sure the permissions are set to only 500 for the script so that others can't read the script.

If you have to share the password, then create a user say user and a group 'secgrp' with all the users that need to run the script in it. Then put it in a secured directory owned by 'secuser' but to be only read by 'secgrp'. In side that directory change the permissions to '4510' with 'secuser:secgrp' as the ownership. This way only secuser will be able to view the file. Members in secgrp will only be able to execute it as secuser but not read it.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Please use plain text.
Regular Advisor
Dewa Negara_4
Posts: 194
Registered: ‎04-14-2003
Message 8 of 10 (41 Views)

Re: SFTP using expect script

Hi Sridhar,

Thanks alot.

Then I need to think alternatively using perl or C as suggested by Harry. At least I can make it more secure by compiling the script.

Thanks.
Negara
Santos
Please use plain text.
Trusted Contributor
Michael Selvesteen_2
Posts: 118
Registered: ‎04-04-2004
Message 9 of 10 (41 Views)

Re: SFTP using expect script

You can encrypt your whole expect script with ccrypt utility. This is an enhanced version of standard unix crypt utility. It can encrypt and decrypt a file.

For more details on ccrypt

http://sourceforge.net/projects/ccrypt/

A pre compiled version for hp-ux is available
from following location

http://quasar.mathstat.uottawa.ca/~selinger/ccrypt/


After downloading, Just gunzip and untar the package. After setting proper permission (if required), encrypt your expect file.

for example

# ./ccrypt -e
Enter encryption key: < set your passphrase>
Enter encryption key: (repeat)

The encrypted file will be stored as "File_to_encrypt.cpt"

To decrypt

./ccrypt -d

The file will be retained to original format after you enter the passphrase.

For more ccrypt advanced options refer README

So, whenever you need to use sftp just decrypt your expect file on other time keep it as encrypted.

Hope this helps

Please use plain text.
Regular Advisor
Dewa Negara_4
Posts: 194
Registered: ‎04-14-2003
Message 10 of 10 (41 Views)

Re: SFTP using expect script

Hi Michael,

Thanks alot.

I have installed the software and it looks fine for me.

One more problem how can we make encryption/decryption of the script using batch file? Any idea?

Thanks and Best Regards,
Negara
Santos
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation