password on command line, or other options?

Discussion:

(too old to reply)

Michael W. Lucas

2006-01-30 17:10:39 UTC

Hi,

I have a client who is using rsh with ciscoconf
(http://sourceforge.net/project/showfiles.php?group_id=25401&package_id=31646)
on FreeBSD to create and keep RCS logs of his router and switch
configurations.

I'd like to replace rsh with ssh.

Ciscoconfd will let me execute an arbitrary configuration-retrieval
program instead of rsh. The trick is, how to get ssh to work
non-interactively with a Cisco device. It seems that Cisco won't
support an authorized_keys mechanism for a user, so I have to somehow
get a Unix-ish SSH client that will support using a password on the
command line.

Any suggestions out there? Surely someone has already done this?

Thanks,
==ml

--
Michael W. Lucas ***@FreeBSD.org, ***@BlackHelicopters.org
http://www.BlackHelicopters.org/~mwlucas/

"The cloak of anonymity protects me from the nuisance of caring." -Non Sequitur

g***@l.route666.net

2006-01-31 15:34:55 UTC

Permalink

Hi
Here is something that seems to work
You need 2 scripts. a .sh and a .pl (perl and shell)
$ cat echo_pass
#!/bin/sh

echo p4ssword
$ chmod a+rx echo_pass
$ cat setsid.pl
#!/usr/bin/perl

use POSIX(setsid);
if(fork()) { wait; } else { setsid; exec {$ARGV[0]} @ARGV; }
$ chmod a+rx setsid.pl
$ DISPLAY=y SSH_ASKPASS=./echo_pass ./setsid.pl ssh ***@host

ssh should use echo_pass when is prompted for password

catam

Post by Michael W. Lucas
Hi,
I have a client who is using rsh with ciscoconf
(http://sourceforge.net/project/showfiles.php?group_id=25401&package_id=31646)
on FreeBSD to create and keep RCS logs of his router and switch
configurations.
I'd like to replace rsh with ssh.
Ciscoconfd will let me execute an arbitrary configuration-retrieval
program instead of rsh. The trick is, how to get ssh to work
non-interactively with a Cisco device. It seems that Cisco won't
support an authorized_keys mechanism for a user, so I have to somehow
get a Unix-ish SSH client that will support using a password on the
command line.
Any suggestions out there? Surely someone has already done this?
Thanks,
==ml

Michael W. Lucas

2006-02-02 16:19:18 UTC

Permalink

Probably using an expect script would help with that. The problem still
arises that the password would still be stored in cleartext.

Expect... wow, that's a blast from the past.

Thanks for the suggestion. I know it's not ideal, but it's better
than rsh.

==ml

--
Michael W. Lucas ***@FreeBSD.org, ***@BlackHelicopters.org
http://www.BlackHelicopters.org/~mwlucas/

"The cloak of anonymity protects me from the nuisance of caring." -Non Sequitur

Giancarlo Paolillo

2006-02-02 20:46:24 UTC

Permalink

Expect will definitely help but if you're more familiar with python, it
comes with an expect-like module...

http://sourceforge.net/projects/pexpect/

Giancarlo
-----Original Message-----
From: Michael W. Lucas [mailto:***@blackhelicopters.org]
Sent: Wednesday, February 01, 2006 9:31 PM
To: Chester Enright
Cc: Michael W. Lucas; ***@securityfocus.com
Subject: Re: password on command line, or other options?

Probably using an expect script would help with that. The problem

still

arises that the password would still be stored in cleartext.

Expect... wow, that's a blast from the past.

Thanks for the suggestion. I know it's not ideal, but it's better
than rsh.

==ml

--
Michael W. Lucas ***@FreeBSD.org,
***@BlackHelicopters.org
http://www.BlackHelicopters.org/~mwlucas/

"The cloak of anonymity protects me from the nuisance of caring." -Non
Sequitur

Hytham Abu-Safieh

2006-02-05 10:40:25 UTC

Permalink

I didn't read what the user required exactly to begin with, but in expect
you do not necessarily need to store the password in clear text as the
interact command built in allows you to take control over where you specify.
Of course, this takes away from the initial intent to fully automate tasks.

Very small, easy example (I use this to quickly gather stats from various
security devices):

#!/usr/bin/expect --

set i [lindex $argv 0]
stty echo
set timeout 2

"(yes/no)?" { send "yes\r" }
"Password:" { interact "x" return }
}

The example above turns the control over to the user, but when the letter
"x" is input, the control is returned back to expect to complete the script.

-H

-----Original Message-----
From: Giancarlo Paolillo [mailto:***@earthlink.net]
Sent: Thursday, February 02, 2006 10:29 AM
To: 'Michael W. Lucas'; 'Chester Enright'
Cc: ***@securityfocus.com
Subject: RE: password on command line, or other options?

Expect will definitely help but if you're more familiar with python, it
comes with an expect-like module...

http://sourceforge.net/projects/pexpect/

Giancarlo
-----Original Message-----
From: Michael W. Lucas [mailto:***@blackhelicopters.org]
Sent: Wednesday, February 01, 2006 9:31 PM
To: Chester Enright
Cc: Michael W. Lucas; ***@securityfocus.com
Subject: Re: password on command line, or other options?

Probably using an expect script would help with that. The problem

still

arises that the password would still be stored in cleartext.

Expect... wow, that's a blast from the past.

Thanks for the suggestion. I know it's not ideal, but it's better
than rsh.

==ml

--
Michael W. Lucas ***@FreeBSD.org,
***@BlackHelicopters.org
http://www.BlackHelicopters.org/~mwlucas/

"The cloak of anonymity protects me from the nuisance of caring." -Non
Sequitur