09-08-2004 08:29 PM
I am running SFTP using expect script below :
spawn sftp -b batchFile
Is there any way how to prevent from hard-code the password in the script? Can we hidden the password? I just want to mitigate the security risk for the script.
Pls help. High score will be given.
Thanks and Best Regards,
Solved! Go to Solution.
09-08-2004 11:19 PM
Make the script only readable and executable by root (chmod 500 scriptname) or write a C program that creates the script on the fly and then executes it, or write the program in perl and then compile (perlcc) it. You will have to make sure you don't put the passwd in a contiguous string.
live free or die
09-09-2004 12:32 AM
Now, what you can do, is setup certificates between the sites.
09-09-2004 02:51 PM
Will the crtificate be able to avoid hard-coded passord?
What is the steps do configure the certificate? Sorry because this is really new for me.
09-09-2004 03:07 PM
I believe Geoff meant public/private key authentication. All your problems will be simply vanished if you follow that procedures. Check one of your old threads and you will find the procedures posted by myself and others.
Also, look at the other thread where you mentioned about sftp working with .shosts/.rhosts. I asked you to override PreferredAuthentications options using the command line. I believe you are almost there.
09-09-2004 03:57 PM
Thanks. I got a new problem now. The remote server belongs to other company. So we not eligible to suggest them to modify their sshd_config. I have talked to my boss and he agreed to use expect script. But it will be better if the hard-coded password can be prevented. So I am trying to find how can we avoid the hard-coded password in the script.
Thanks for your help Sridhar.
09-09-2004 04:34 PM
You don't really have much choice other than what Harry already gave you if you are planning to use expect.
If you have to run it some user, then make sure the permissions are set to only 500 for the script so that others can't read the script.
If you have to share the password, then create a user say user and a group 'secgrp' with all the users that need to run the script in it. Then put it in a secured directory owned by 'secuser' but to be only read by 'secgrp'. In side that directory change the permissions to '4510' with 'secuser:secgrp' as the ownership. This way only secuser will be able to view the file. Members in secgrp will only be able to execute it as secuser but not read it.
09-09-2004 07:04 PM
Then I need to think alternatively using perl or C as suggested by Harry. At least I can make it more secure by compiling the script.
09-09-2004 09:28 PM
For more details on ccrypt
A pre compiled version for hp-ux is available
from following location
After downloading, Just gunzip and untar the package. After setting proper permission (if required), encrypt your expect file.
# ./ccrypt -e
Enter encryption key: < set your passphrase>
Enter encryption key: (repeat)
The encrypted file will be stored as "File_to_encrypt.cpt"
The file will be retained to original format after you enter the passphrase.
For more ccrypt advanced options refer README
So, whenever you need to use sftp just decrypt your expect file on other time keep it as encrypted.
Hope this helps
09-15-2004 04:15 PM
I have installed the software and it looks fine for me.
One more problem how can we make encryption/decryption of the script using batch file? Any idea?
Thanks and Best Regards,