密码是纯文本文件。 如何在linux中使用它们期望脚本？

Question

I want to ssh to remote server using expect script. Passwords are stored in a plain text. I want to send the password reading from the text file. It is working fine in all other cases except where the password contains special characters like $ etc,. Using ssh keys is not an option now. Hence, how can I make the password string acceptable before sending to a remote server. It is to be done within the expect script.

Answer 1

To read a value from a plain text file that is stored in a file like this:

# Here is a comment
Password: hunter2
# Here might be some other random stuff

Use something like this:

set f [open ~/securedDirectory/theFile.txt]
while {[gets $f line] >= 0} {
    if {[regexp {^Password: (.*)$} $line -> password]} {
        break
    }
}
close $f

In the simplest case, you could just do set password [gets $f] but that would require that the password be the first entire line of the file. That's usually a poor configuration file! Instead, when parsing text files it is best to define a simple format and use that.

You then can use the password with:

send "$password\r"

at the right point. You should not need any extra quoting than that.

---

Be aware that storing passwords in files is inherently insecure. (Not quite as bad as passing them with command line arguments or environment variables, but still not good.) Make sure you take steps to keep the file and the directory it contains as protected from outside interference as possible (turning off access by other users, etc.) Storing them encrypted in a file where the script can decrypt it when needed is an option, but not as secure as you might think as you have to have the code to do the decryption available where it can be read. (This can be mitigated by making the script itself only readable by you, but then having an external file holding the password is no longer a big win.)

Using an SSH key is far better in practice.

Answer 2

Storing passwords in text files is not a good idea. They are not even stored on the server. Storing them on the client is extremely vulnerable.

If you are using ssh to login, you may use range of other techniques:

1. Login using authorized private key with an empty passphrase. This is a security weakness of course, if anyone reaches the private key he can do the same. Good thing is that you can limit the use of the key to run only certain commands on the remote server .

2. Use ssh-agent . This way you only enter the password once in a shell session, and subsequent calls will use it so you may call scripts without entering the password.

Both these techniques are vulnerable in the sense that if someone reaches these scripts, he can do as these scripts do, but it will never be possible to get to know your password.

You may want to start with some ssh tutorial .

Answer 3

Encrypt your password using openssl.

openssl enc -e -nosalt -out "OutputFilePath" -aes-256-cbc -pass pass:mySecretPass

then decrypt Output file and pass to your expect script at run time.

cat OutputFilePath |    openssl enc -d -nosalt  -aes-256-cbc -pass pass:mySecretPass

Using this your password is encrypted stored in your Output File and in script you are decrypting output file.

*It is not proper way because as key(mySecretPass) to decrypt your encrypted file is still stored in your script.