Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?
 
PerlMonks  

ssh session

by bugsbunny (Scribe)
on Sep 10, 2003 at 12:16 UTC ( #290392=perlquestion: print w/replies, xml ) Need Help??

bugsbunny has asked for the wisdom of the Perl Monks concerning the following question:

hi,
I what to automate a cisco session over ssh (not over telnet),
I probably will be able to make such script with expect module (of course pointers and ideas on this are welcome).
My problem is that I want to store the password in a secure way, what I mean... I don't want to store the password inside the script which does the ssh-connection. I also can't use crypt() like encrypting 'cause I need real password for doing ssh-connection, not some crypted-garbage (which I can compare for match w/ other crypted password) ...

So my question is how to hide the password so that it can't be decrypted easier. And do it in secure way so that even if someone get hands to my script, "to be unable" to hijack my pass and/or connect trought the script to the cisco..

tia

Replies are listed 'Best First'.
Re: ssh session
by liz (Monsignor) on Sep 10, 2003 at 12:26 UTC
    Make sure your script is readable by root only. And be root of course. Then only someone with root access to your machine can get at it. And if that happens, you have other problems.

    If you can't be root, make it readable by you only. This doesn't exclude root from reading. If you don't trust root, you have a problem.

    Any other approach that does not involve you typing in the actual password when the program needs running, will be rather easy to circumvent in my opinion. But of course I'm always open to other monks' opinions about this.

    Liz

Re: ssh session
by zentara (Archbishop) on Sep 10, 2003 at 14:06 UTC
    Your best bet is to use "key authentication" and then keep the login key on a floppy or something like a usb keyring storage device. That way you keep the key in a safe place and no one will be able to hijack your key. I'm not familiar with ssh on a cisco, but on a pc key generation is simple.

    Generate your ssh-keys with <ssh-keygen -d> for ssh2. You will have the files $HOME/.ssh/id_dsa.pub and $HOME/.ssh/id_dsa. The id_dsa.pub - file is your public key. Copy that file to the target to $HOME/.ssh/machinename.pub and do a "cd .ssh; cat machinename.pub >>authorized_keys". Now you should be able to connect to the target machine via ssh without using passwords.

Re: ssh session
by asarih (Hermit) on Sep 10, 2003 at 12:27 UTC
    I'm guessing that you want to write a script with Perl. Otherwise your question is off-topic. :)

    I don't know how CISCO routers handle ssh sessions, but if you want to automate ssh connections, I think your best best is public key with empty passphrase. If a script can decrypt whatever password by whatever means, so can your perpetrator (once he gets your script). (Hmmm.... My answer is completely devoid of Perl content.)

    Addendum With public key, you'll have to guard your private key to the best of your abilities.

      it is not possible to use "empty-pass.." with cisco, 'cause it supports only ssh1 with DES encryption.. rather outdated.. And yes i want to do all this with Perl, 'cause there will be alot of parsing of the results :"), not only logon-execute-logout..
      hmm .. what about persistant connection (or at least 1-2 hour). I will need some sort of deamon for this isnt it ?!
        Maybe rather than using cron to have your program execute automatically at regular times (forcing you to store the access mechanism somewhere), you could make it running eternally after you supplied the right credentials manually during startup.

        Then maybe you would need a cron job to check whether the program is still running.

        It might have some job security implications as well, that you may or may not like (it's not always nice if you cannot be missed).

        Liz

Re: ssh session
by skaba9 (Beadle) on Sep 10, 2003 at 22:05 UTC
    Have you looked into Net::SSH it uses keys instead of a password.

    Not sure is this will help, but good luck.

    sk

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://290392]
Approved by phydeauxarff
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others taking refuge in the Monastery: (6)
As of 2022-09-27 09:05 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    I prefer my indexes to start at:




    Results (118 votes). Check out past polls.

    Notices?