Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot
 
PerlMonks  

Sending encrypted passwords via Telnet

by theroninwins (Friar)
on Oct 04, 2004 at 14:01 UTC ( #396236=perlquestion: print w/replies, xml ) Need Help??

theroninwins has asked for the wisdom of the Perl Monks concerning the following question:

OK I have read some nodes about this subject not there is nothing that really covers this.
I have a script that runs telnet and theen longs on using the username and password. My problem is that the paasword is written there in plain. How can i change it so that there is the encrypted password in the script?
The prob is I cannot use a config-file or a prompt because it is a "demon"-script.
This is the login send:
@lines = $t->open($ip); $ok1 = $t->login("admin", "enter");

Thanks for the help!
Ronin

Replies are listed 'Best First'.
Re: Sending encrypted passwords via Telnet
by Zaxo (Archbishop) on Oct 04, 2004 at 14:13 UTC

    The greater risk is in sending passwords over the line en claire, which is one reason telnet is avoided these days where security matters. Ssh (and ssl generally) is to be preferred. Version 2 ssh allows automatic login based on stored keys.

    After Compline,
    Zaxo

Re: Sending encrypted passwords via Telnet
by neilwatson (Priest) on Oct 04, 2004 at 15:16 UTC
Re: Sending encrypted passwords via Telnet
by skx (Parson) on Oct 04, 2004 at 14:08 UTC

    If you want to login to a host via telnet you need to have the plain text password to send.

    Maybe the best way to go is to store the password in a file in the users home directory, like ~/.password - where this can be protected by the filesystem permissions.

    This avoids the effort of using encryption in a bad way, and protects you against everybody but the superuser who could read the file if they wished.

    Steve
    ---
    steve.org.uk
Re: Sending encrypted passwords via Telnet
by pelagic (Priest) on Oct 04, 2004 at 14:11 UTC
    Just use ssh instead of plain telnet.

    Update
    as an answer to skx and theroninwins: of course there are situations where ssh is not an option but the OP didn't state this fact ...

    pelagic

      Sometimes using ssh isn't an option.

      For example I maintain a phone system, which only accepts administrative commands via telnet. Whilst I could pay for an improved model with ssh access that's not within my budget, and installing a tiny ssh server isn't practical either, due to the contstraints of the system.

      Steve
      ---
      steve.org.uk
      Well I have to access Cisco Routers and that IOS still doesn't have ssh
Re: Sending encrypted passwords via Telnet
by superfrink (Curate) on Oct 05, 2004 at 03:57 UTC
    Even if you encrypted the password in your script or in a file that your script reads the script still has to be able to get the plain text from the encrypted version. (Because it has to send the plain text across the wire.) Now of course to decrypt you need the key (or pass-phrase, etc). Next we note that if the script can read the key to the encrypted text then you may as well have left the plain text password out where you left the key. It's not a fun problem.

    Apache used to (probably still does) support SSL keys that were encrypted. The catch was you needed to be at a keyboard to type in the password to decrypt the keys before apache would start and run sites with those keys. Now of course you don't want to do that. (Neither did I so all my keys have no password on them. I don't worry because only "root" can read them and if someone has root on one of those servers I have bigger issues.) Since you did call the program a daemon you could do it this way and your password / key never get's stored on the disk. (Unless the RAM that holds the password get's swapped out to disk.) Now if you are looking at a "cron" job then this won't work.

    skx got it right on in 396238 by saying you have to put the password in a file that no one else on the system should be able to read. Unless you have "root" and no one else has that sort of access on the machine then you've got quite a challenge ahead.

    Also backups of you home directory will have the password in them too so hope you're admin keeps those safe. (I have mentioned this before and would like to say it sounds paranoid but it happens that backups are not protected sometimes. "Here's the backup disk. Just copy your files off it and bring it back to me.")

    Oh and since we are talking about passwords on the system. If your command line for a cron job has a password and the job generates any output (including a system error) the whole command line get's emailed to you in plain text.

    PS: This was all assuming a *NIX background. I can't comment on anything else with any authority.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://396236]
Approved by skx
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others taking refuge in the Monastery: (2)
As of 2022-01-20 03:20 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    In 2022, my preferred method to securely store passwords is:












    Results (56 votes). Check out past polls.

    Notices?