ssh session

bugsbunny has asked for the wisdom of the Perl Monks concerning the following question:

hi,
I what to automate a cisco session over ssh (not over telnet),
I probably will be able to make such script with expect module (of course pointers and ideas on this are welcome).
My problem is that I want to store the password in a secure way, what I mean... I don't want to store the password inside the script which does the ssh-connection. I also can't use crypt() like encrypting 'cause I need real password for doing ssh-connection, not some crypted-garbage (which I can compare for match w/ other crypted password) ...

So my question is how to hide the password so that it can't be decrypted easier. And do it in secure way so that even if someone get hands to my script, "to be unable" to hijack my pass and/or connect trought the script to the cisco..

tia

Comment on ssh session

Replies are listed 'Best First'.
Re: ssh session by liz (Monsignor) on Sep 10, 2003 at 12:26 UTC
Make sure your script is readable by root only. And be root of course. Then only someone with root access to your machine can get at it. And if that happens, you have other problems. If you can't be root, make it readable by you only. This doesn't exclude root from reading. If you don't trust root, you have a problem. Any other approach that does not involve you typing in the actual password when the program needs running, will be rather easy to circumvent in my opinion. But of course I'm always open to other monks' opinions about this. Liz	[reply]
Re: ssh session by zentara (Archbishop) on Sep 10, 2003 at 14:06 UTC
Your best bet is to use "key authentication" and then keep the login key on a floppy or something like a usb keyring storage device. That way you keep the key in a safe place and no one will be able to hijack your key. I'm not familiar with ssh on a cisco, but on a pc key generation is simple. Generate your ssh-keys with <ssh-keygen -d> for ssh2. You will have the files $HOME/.ssh/id_dsa.pub and $HOME/.ssh/id_dsa. The id_dsa.pub - file is your public key. Copy that file to the target to $HOME/.ssh/machinename.pub and do a "cd .ssh; cat machinename.pub >>authorized_keys". Now you should be able to connect to the target machine via ssh without using passwords.	[reply]
Re: ssh session by asarih (Hermit) on Sep 10, 2003 at 12:27 UTC
I'm guessing that you want to write a script with Perl. Otherwise your question is off-topic. :) I don't know how CISCO routers handle ssh sessions, but if you want to automate ssh connections, I think your best best is public key with empty passphrase. If a script can decrypt whatever password by whatever means, so can your perpetrator (once he gets your script). (Hmmm.... My answer is completely devoid of Perl content.) Addendum With public key, you'll have to guard your private key to the best of your abilities.	[reply]
Re: Re: ssh session by bugsbunny (Scribe) on Sep 10, 2003 at 13:37 UTC
it is not possible to use "empty-pass.." with cisco, 'cause it supports only ssh1 with DES encryption.. rather outdated.. And yes i want to do all this with Perl, 'cause there will be alot of parsing of the results :"), not only logon-execute-logout.. hmm .. what about persistant connection (or at least 1-2 hour). I will need some sort of deamon for this isnt it ?!	[reply]
Re: Re: Re: ssh session by liz (Monsignor) on Sep 10, 2003 at 13:56 UTC
Maybe rather than using cron to have your program execute automatically at regular times (forcing you to store the access mechanism somewhere), you could make it running eternally after you supplied the right credentials manually during startup. Then maybe you would need a cron job to check whether the program is still running. It might have some job security implications as well, that you may or may not like (it's not always nice if you cannot be missed). Liz	[reply]
Re: ssh session by skaba9 (Beadle) on Sep 10, 2003 at 22:05 UTC
Have you looked into Net::SSH it uses keys instead of a password. Not sure is this will help, but good luck. sk	[reply]

Back to Seekers of Perl Wisdom