(nothing here yet) ---- RJ Bacon (with a Major Company providing Internet services) suggests an approach to avoiding embedded passwords in Expect scripts. Feel free to format this for reaper friendly and improve/fix. * Encrypt passwords using UNIX ''des'' encryption command (provides 56-bit encyption) * Use a single key for each password or file of passwords, provided by and known only to the user * The ''des'' key becomes the password to the program itself, and is only prompted for at startup * Decrypt the passwords needed, as needed, using the global variable '''key''' '''Procedure to prompt for key''' - shameless pilfer from Mr. Libes' "Exloring Expect" * Takes ''pwprompt'' - ex. "Enter your password: " * Returns only user input stripped of carriage return * Tip: Suggest running this proc twice and comparing input to validate against typos * User password entry is not displayed when typed proc getpass pwprompt { set oldmode [stty -echo -raw] send_user "\n $pwprompt" set timeout -1 expect_user -re "(.*)\n" send_user "\n" eval stty $oldmode return $expect_out(1,string) } '''Procedure to encrypt device passwords''' * Takes ''pd'' (password list to be encrypted) and ''filename'' (name of file for resulting encrypted password list) as input * Returns nothing * Format of the list of passwords (current and older generations by device type?) depends on how calling program needs them - suggest separated by \n character for readability proc utility_encrypt {pd filename} { global key HOME catch [exec echo "$pd" | des -e -k $key -b > $HOME/pwdir/$filename] return } '''Procedure to decrypt device passwords''' * Takes ''filename'' (name of password file to decrypt) * Returns ''dpd'' (list of passwords in plaintext) proc utility_decrypt filename { global key HOME catch {exec cat $HOME/pwdir/$filename | des -d -b -k $key} dpd return $dpd } You can use utility_encrypt in a setup program, and provide functionality that allows new passwords to be added to the encrypted files as they are implemented. Lets assume the encrypted password files are organized by device type and separated with "\n". Then the mechanics of the program look something like this: #user launches program to log into a Foo systems Bar device: ... proc foo_login_proc {device_name} { global key sid set decrypted_all [utility_decrypt foo_passwords.enc] for {set i 0} {$i <= [llength $decrypted_all]} {incr i} { set foo_pws($i) [lindex $decrypted_all $i] } #loop through foo_pws array using exp_send/expect until login successful... interact exit } ... set user [exec whoami] set key [getpass "Enter password for $user: "] spawn -noecho telnet foo1.bar set sid($device_name) $spawn_id detect_device_prompt ;# expect proc that detects this is a foo device and launches the appropriate proc ... ---- [[Start by looking at [source protection].]] [[Follow up by locating information about writing secure Tcl scripts] Finally, consider using interactive prompting rather than hard coding passwords ... ---- [Category Expect] | [Category Security]