You have a problem. Suppose you were able to make a script with the password hidden -- the roots could just sniff the network connection -- so, you're kinda hosed...

You haven't said it, but I suspect that the script needs to run unattended -- that is, the script runs without an operator entering a password.

There are a number of obfuscation techniques which you might attempt, but ultimately, anything your script can do, the root can do as well (or better), so there is no straight forward solution.

Some systems offer access control lists which trancend root power. You can even do this in NT/win2k. But in typical *nix setups, it can't be done.

So then the question boils down to (a) do you really need to do this (probably not), or (b) what kind of obfuscation do you best prefer? There's lots of good examples to choose from here at PerlMonks, but they ultimately all leave you obscuring the obvious, and there's no real security.

I suppose if you're desperate, you could distribute the authentication requirement over two servers, so that the evil sysop would have to read your script in both places to decode your password, but that means that everytime you need to log into your device you have to socket to the second server, and of course you have to have accounts on both servers... And the sysop could still sniff your connection and that'd be the end of it.

If the network device allows you to load authentication software (ala PAM) there might be some public key options which might work, but most simple options still allow a root to spoof you...