HPE Community
Operating System - HP-UX
1752570 Members
5241 Online
108788 Solutions
New Discussion юеВ

Re: SFTP using expect script

 
SOLVED
Go to solution
Dewa Negara_4
Regular Advisor

тАО09-08-2004 08:29 PM

тАО09-08-2004 08:29 PM

SFTP using expect script

Hi All,

I am running SFTP using expect script below :

#!/usr/local/bin/expect
spawn sftp -b batchFile @
expect "password:"
send "\n";
interact

Is there any way how to prevent from hard-code the password in the script? Can we hidden the password? I just want to mitigate the security risk for the script.

Pls help. High score will be given.

Thanks and Best Regards,
Negara
Santos
0 Kudos
Reply
9 REPLIES 9
harry d brown jr
Honored Contributor

тАО09-08-2004 11:19 PM

тАО09-08-2004 11:19 PM

Solution

Re: SFTP using expect script


Make the script only readable and executable by root (chmod 500 scriptname) or write a C program that creates the script on the fly and then executes it, or write the program in perl and then compile (perlcc) it. You will have to make sure you don't put the passwd in a contiguous string.

live free or die
harry
Live Free or Die
Reply
Geoff Wild
Honored Contributor

тАО09-09-2004 12:32 AM

тАО09-09-2004 12:32 AM

Re: SFTP using expect script

That's the downside of sftp with expect - you need to hard code it.

Now, what you can do, is setup certificates between the sites.

Rgds...Geoff



Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Reply
Dewa Negara_4
Regular Advisor

тАО09-09-2004 02:51 PM

тАО09-09-2004 02:51 PM

Re: SFTP using expect script

Hi Geoff / Harry,

Thanks.

Will the crtificate be able to avoid hard-coded passord?

What is the steps do configure the certificate? Sorry because this is really new for me.

Thanks.
Negara
Santos
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

тАО09-09-2004 03:07 PM

тАО09-09-2004 03:07 PM

Re: SFTP using expect script

Hi Negara,

I believe Geoff meant public/private key authentication. All your problems will be simply vanished if you follow that procedures. Check one of your old threads and you will find the procedures posted by myself and others.

Also, look at the other thread where you mentioned about sftp working with .shosts/.rhosts. I asked you to override PreferredAuthentications options using the command line. I believe you are almost there.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Reply
Dewa Negara_4
Regular Advisor

тАО09-09-2004 03:57 PM

тАО09-09-2004 03:57 PM

Re: SFTP using expect script

Hi Sridhar,

Thanks. I got a new problem now. The remote server belongs to other company. So we not eligible to suggest them to modify their sshd_config. I have talked to my boss and he agreed to use expect script. But it will be better if the hard-coded password can be prevented. So I am trying to find how can we avoid the hard-coded password in the script.

Thanks for your help Sridhar.

Best Regards,
Negara
Santos
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

тАО09-09-2004 04:34 PM

тАО09-09-2004 04:34 PM

Re: SFTP using expect script

Hi Negara,

You don't really have much choice other than what Harry already gave you if you are planning to use expect.

If you have to run it some user, then make sure the permissions are set to only 500 for the script so that others can't read the script.

If you have to share the password, then create a user say user and a group 'secgrp' with all the users that need to run the script in it. Then put it in a secured directory owned by 'secuser' but to be only read by 'secgrp'. In side that directory change the permissions to '4510' with 'secuser:secgrp' as the ownership. This way only secuser will be able to view the file. Members in secgrp will only be able to execute it as secuser but not read it.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Reply
Dewa Negara_4
Regular Advisor

тАО09-09-2004 07:04 PM

тАО09-09-2004 07:04 PM

Re: SFTP using expect script

Hi Sridhar,

Thanks alot.

Then I need to think alternatively using perl or C as suggested by Harry. At least I can make it more secure by compiling the script.

Thanks.
Negara
Santos
0 Kudos
Reply
Michael Selvesteen_2
Trusted Contributor

тАО09-09-2004 09:28 PM

тАО09-09-2004 09:28 PM

Re: SFTP using expect script

You can encrypt your whole expect script with ccrypt utility. This is an enhanced version of standard unix crypt utility. It can encrypt and decrypt a file.

For more details on ccrypt

http://sourceforge.net/projects/ccrypt/

A pre compiled version for hp-ux is available
from following location

http://quasar.mathstat.uottawa.ca/~selinger/ccrypt/


After downloading, Just gunzip and untar the package. After setting proper permission (if required), encrypt your expect file.

for example

# ./ccrypt -e
Enter encryption key: < set your passphrase>
Enter encryption key: (repeat)

The encrypted file will be stored as "File_to_encrypt.cpt"

To decrypt

./ccrypt -d

The file will be retained to original format after you enter the passphrase.

For more ccrypt advanced options refer README

So, whenever you need to use sftp just decrypt your expect file on other time keep it as encrypted.

Hope this helps
Reply
Dewa Negara_4
Regular Advisor

тАО09-15-2004 04:15 PM

тАО09-15-2004 04:15 PM

Re: SFTP using expect script

Hi Michael,

Thanks alot.

I have installed the software and it looks fine for me.

One more problem how can we make encryption/decryption of the script using batch file? Any idea?

Thanks and Best Regards,
Negara
Santos
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.