If this script is to be run automatically, from say cron, this is no different than using keys. You will have to either hard code the password in the script, use a config file containing the script, or pass it as an argument. In all three cases, the password is obviously available on the machine (in the script itself, in the config file, or in the crontab passed as an argument). As someone else on this list recently pointed out, local access == root access, given enough time.
If you will run the script by hand, this is all moot. Pass it as an argument, and grab it as @ARGS[0] in your Perl script. PS - if you want to use expect, I suspect it would be available in a Perl module on CPAN. (www.cpan.org) -Tyler -----Original Message----- From: Trevor Cushen [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 09, 2002 8:35 AM To: Andre Guimaraes Cc: [EMAIL PROTECTED] Subject: RE: Is SSH worth it?? This man is a god amoung men, I will test this and get back to you. SSH is going in place if all this works out. I'm side tracked at the moment but will get back to it next week. Thanks again to all Trevor Cushen P.s Can I ask you for a url to more info on this expect language and it usage. Again many thanks -----Original Message----- From: Andre Guimaraes [mailto:[EMAIL PROTECTED]] Sent: 08 October 2002 19:26 To: Trevor Cushen; [EMAIL PROTECTED] Subject: RES: Is SSH worth it?? I dont like RSA without passwords caus if your machine gets compromised, the attacker would have root access to another machines in your network. When I needed automated scripting using ssh and scp I used this programming language called EXPECT, perl includes a module that implements the expect language. It goes something like this: exec ssh myhost "commands" (could be scp myfile myhost:path) expect yes/no send yes\r expect assword send my_password Just to make the figure. It worked quite well,but if one host goes down and you dont include error exception it may get stuck in the middle of the script. Still better than keys. -----Mensagem original----- De: Trevor Cushen [mailto:[EMAIL PROTECTED]] Enviada em: terça-feira, 8 de outubro de 2002 12:24 Para: [EMAIL PROTECTED] Assunto: Is SSH worth it?? Many thanks to those that answered and all excellent answers that I will use in my argument to the customer. A few interesting points came up also. Ettercap and dsniff were mentioned and duly noted as I have used them before and should have left out the part about sniffing a switched network in my question. Another point was raised that the access needed to sniff should be removed first and foremost (Brad Arlt I think). Most definantely and it has as much as possible. Physical security to the building and any access points is quite strong. No external access connections are part of this segment of the network so external attacks getting in is a low possiblity (but yes possible I suppose so can't be ruled out) I want to go SSH and have the encryption but the work involved is hard to justify to the customer (because the work is their side, as in rewrite the scripts). The argument that Ettercap claims to break SSH must also be throw into the mix here too. I could use stunnel if I just wanted encryption???? Here is another spanner in the works and I hope I am corrected on this because I want to be wrong here. We would be using SSH and SCP. SCP for automated scripts. To get scripts automated my understanding is that the best security in this scenerio is use RSA authentication only. Thus no password request when I do 'scp host:file filedst'. But then does that mean that my SSH client will not be prompted for a password. In that case accountability is at the machine level. If I am wrong please inform me gently as I have only started looking at this in ernest. Yes I can go rhosts authentication but that defeats the purpose to a large degree as rhost files is what we want to get them away from. I am currently installing a SCO machine, Solaris machine and NT machine to set all this up and emulate the site as much as possible. I will post the final result in time. Thanks again for the feedback. Trevor Cushen Sysnet Ltd www.sysnet.ie Tel: +353 1 2983000 Fax: +353 1 2960499 **************************************************************************** ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this message in error please notify SYSNET Ltd., at telephone no: +353-1-2983000 or [EMAIL PROTECTED] **************************************************************************** ** ****************************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this message in error please notify SYSNET Ltd., at telephone no: +353-1-2983000 or [EMAIL PROTECTED] ******************************************************************************
