jason_f has asked for the wisdom of the Perl Monks concerning the following question:

I have a script that runs telnet commands. I want to give people with access to my server, access to run this script. I _don't_ want them to get the password, as its currently stored in cleartext in the script. I'm not worried about extreme security, I just want the password hidden. 1) What's the easiest way to do this? 2) I've tried implementing this via Data::Encrypted, however I'm getting 'Bad key file format at /usr/local/share/perl/5.8.8/Data/Encrypted.pm line 78' I'm using my ssh keys generated via ssh-keygen to pass to the program. Can anyone advise on how to fix this error or an easier way to go about doing this?

Replies are listed 'Best First'.
Re: Need help hiding a password
by alexm (Chaplain) on Mar 14, 2008 at 15:50 UTC
    If you're concerned about security, forget about telnet and use SSH key authentication instead.
[reply]
Re: Need help hiding a password
by tirwhan (Abbot) on Mar 14, 2008 at 16:25 UTC

    I agree with alexm, you should use ssh , otherwise any attempt to hide the password will be utterly useless (for example, the user and anyone else on the network could simply listen to the network traffic generated by your script and read the password that way).

    Also, ssh gives you the possibility to execute only a specific script/command on the remote machine, via the "forced command" mechanism. You could generate an ssh keypair on the local machine, transfer the public part to the remote machine and assign it a script to execute. Your local script would then work without a password, but only enable the running of a single command on the remote server (which I think is what you're after).


    All dogma is stupid.
[reply]
[d/l]
Re: Need help hiding a password
by almut (Canon) on Mar 14, 2008 at 18:06 UTC

    I agree with the other posters that using telnet and sending passwords in the clear is certainly suboptimal... but I'd like to comment on the technique of making code 'execute-only', which is sometimes mentioned as an option in this context.

    Generally, AFAIK, it's not possible (under Unix — not sure about Windows) to give anyone privileges to run a script, but not allow them to read the script source (without resorting to some SUID trickery, which might bring about its own set of other potential problems). Reason is that the script interpreter itself would always need to be able to read the source.

    You can however have execute-only binary executables, which could provide low/moderate protection with respect to hiding sensitive information embedded in the code (in particular, when combined with obfuscation). I.e., the 'x' bit would be the only bit allowed for the intended users (e.g. -r-x--x--x or ---x--x--x), and the binary would be owned by someone else, so read-access is not possible for 'normal' users.

    IOW, if you don't want people to pry on sensitive data, you could in principle wrap the script into a binary with its own embedded Perl interpreter (and with the script source embedded in the binary as well). Or create an XS module that you statically link with the Perl binary, which you then set execute-only...

    BUT, don't be fooled into thinking this would be secure! It's not, it's just making things more difficult, depending on how well the users know the system. For example, one way to compromise the protection would be to have the binary load some modified shared library (e.g. the ubiquitous libc.so) via LD_LIBRARY_PATH, which then dumps the program image, or some such. You could of course counter that by static linking, but it shouldn't be too hard to come up with other ways...  (feel free to discuss, if you know of any)

[reply]
[d/l]
[select]
Re: Need help hiding a password
by zentara (Cardinal) on Mar 14, 2008 at 17:18 UTC
    You might like to look at the way I obscure the password and key in Tk Virtual Keyboard Example. One is CBC-blowfish encrypted, then base64encoded so it can be included in the script. Another thing is to put your password as a series of hex numbers, then combine them when needed.

    Of course, any decent programmer will be able to get the keys out, but a casual office worker will be stymied. And you can remove the Tk stuff and run it from a commandline. The subs that do the obscuring/deobscuring are included.

    I'm not really a human, but I play one on earth. Cogito ergo sum a bum
[reply]
      zentara, Thanks a bunch. This is exactly what I was looking for, implemented and working well!!
[reply]
Re: Need help hiding a password
by johngg (Canon) on Mar 14, 2008 at 15:00 UTC
    Have a look at Term::ReadKey.

    Cheers,

    JohnGG

    Update: Looks like I may have misunderstood the question. I thought the requirement was to stop the password being echoed, not to hide it in the script. To do that (in a *nix environment) I'd place the password in a file owned by the process with rwx------ permissions under a directory with the same ownership and permissions so others couldn't browse, then read the file in the script.

[reply]
[d/l]
Re: Need help hiding a password
by jason_f (Initiate) on Mar 14, 2008 at 18:02 UTC
    Thanks to all for the replies. I had thought about somehow making a file with readonly permissions to the script but didnt know how to go about doing that..I'll look into the TK option as well. I wish ssh was an option..unfortunately we only use telnet...the server is pretty secure and only about 5 people will have access, none of them ever logged into a linux machine before so I'm not thinking any of them are going to be haxx0ring the box =)..just trying to take reasonable precautions.. thanks again
[reply]

Back to Seekers of Perl Wisdom