Bash script, appropriate variable to store password

s-h-a-w-n · 09-08-2016, 07:38 AM

Hello,

I have a script that connect to remote devices using ssh, the script knows my username, but always asks my password.

I want the script to ask it once, put it in a variable only accessible by my user and I want the variable to remain so that it would be recognized every time I call the script.

If my session ends, I want the variable to be reset.

Is there such variable? If so, how do I call it in my script?

keefaz · 09-08-2016, 07:53 AM

ssh authentication by key not possible?

jpollard · 09-08-2016, 08:10 AM

ssh always opens /dev/tty to get the password. That way it can't be spoofed.

Embedding passwords in a script is VERY insecure. There is no safe way to prevent the password from being exposed and still have the script usable.

You can use a convoluted instance of the expect tool - but the password will still be exposed.

s-h-a-w-n · 09-08-2016, 08:24 AM

I don't manage the distant servers, I have to use usernames provided.

I only embed the usernames in my script, written on the HDD, that's why I want to store the password in a variable in RAM (and be asked the passwords every time I log in, but not everytime I use the script).

An example would be:
-I'm in my linux session
-I start the script to connect to cisco switch A
-I start the script to connect to cisco switch B
-I start the script to connect to cisco router X
-I start the script to connect to server Y

The script knows my different usernames and choose the appropriate ones according to the device type. It would be nice to find a secure way to also store the passwords at the beginning of a user session in linux.

s-h-a-w-n · 09-08-2016, 08:25 AM

I don't manage the distant servers, I have to use usernames provided.

I only embed the usernames in my script, written on the HDD, that's why I want to store the password in a variable in RAM (and be asked the passwords every time I log in, but not every time I use the script).

An example would be:
-I'm in my linux session
-I start the script to connect to cisco switch A
-I start the script to connect to cisco switch B
-I start the script to connect to cisco router X
-I start the script to connect to server Y

The script knows my different usernames and choose the appropriate ones according to the device type. It would be nice to find a secure way to also store the passwords at the beginning of a user session in linux.

Habitual · 09-08-2016, 10:23 AM

Quote:

Originally Posted by s-h-a-w-n

the script knows my username, but always asks my password.

So, the script ask for your password in the script and then after attempting the connection to remote host, asks again?

Quote:

Originally Posted by s-h-a-w-n

I have to use usernames provided.

Sanitize and Post the script. Stop wasting time.

s-h-a-w-n · 09-08-2016, 11:04 AM

Script made by a colleague, I simplified it to the bare minimum before publication, it only knows my usernames (written in the script on the HDD), not my passwords:

Code:

[...]

USER_Router="shawn_router"
USER_Switch="shawn_switch"
USER_Server="shawn_server"

[...]

case $HOSTNAME in
#       router*)      LOGIN=$USER_Router ;;
        switch*)      LOGIN=$USER_Switch ;;
        server*)      LOGIN=$USER_Server ;;
        *) 

[...]

CMD="ssh -o StrictHostKeyChecking=no $LOGIN@$IP"

[...]

Turbocapitalist · 09-08-2016, 11:28 AM

Quote:

Originally Posted by s-h-a-w-n

The script knows my different usernames and choose the appropriate ones according to the device type. It would be nice to find a secure way to also store the passwords at the beginning of a user session in linux.

Again, the safe way to do that would be to use keys and then load the keys into your agent. With an agent, you will enter the private key's passphrase once per desktop session. As far as I know, all major desktops now have an agent running for you by default. And unless things are weird there on the server, you don't need any special modifications to the remote system to use keys. Just stock the remote file authorized_keys appropriately with the right public key. Lots of tutorials exist to get you there.

Instead of a script, the custom shortcuts can be put in your SSH client's configuration file ~/.ssh/config which is what it's for. The configuration includes specifying unique keys and unique usernames for the different remote hosts. A guess would be something like this:

Code:

Host router
        HostName router.example.com
        User shawn_router
        IdentitiesOnly yes
        IdentityFile /home/shawn/.ssh/rsa_router_key

Host switcha
        HostName switcha.example.com
        User shawn_switcha
        IdentitiesOnly yes
        IdentityFile /home/shawn/.ssh/rsa_switcha_key

Host switchb
        HostName switchb.example.com
        User shawn_switchb
        IdentitiesOnly yes
        IdentityFile /home/shawn/.ssh/rsa_switchb_key

Host server
        HostName server.example.com
        User shawn_server
        IdentitiesOnly yes
        IdentityFile /home/shawn/.ssh/rsa_server_key

See the manual page for "ssh_config" for the details of what your options are and what they do. The utility "ssh-keygen" will get you the keys you need. Be sure to look at the options -f and -C in the manual page.

With the right keys and the shortcut in ~/.ssh/config you would be able to access server.example.com just by typing ssh server, for example, and the right key, user name, and address would be used.

( I've left out the StrictHostKeyChecking=no part because that is sketchy and leaves you potentially vulnerable to MitM. What problem are you trying to solve with it? I am fairly sure there is another way around it. )

s-h-a-w-n · 09-08-2016, 01:37 PM

I am trying to understand what you say, but I am not familiar with the KEYs, I have to assume that you are asking me to get some Keys for every devices and put it in a directory in my linux client.

The script exists because I have thousands of devices to navigate into, I need a centralized solution.

Most of them are Cisco IOs devices, not openssh, I can't mess with the routers and switch configs (I could but not on a large scale).

I don't know if that makes sense, but I am trying to adapt to the tools that have been given to me and make my life easier.

jpollard · 09-08-2016, 01:44 PM

Cisco supports the use of openssh and the use of keys. ssh is used a LOT for secure connections without using passwords.

http://www.cisco.com/c/en/us/support.../4145-ssh.html

s-h-a-w-n · 09-08-2016, 01:59 PM

Ok, sure, but do I have to change the Cisco device's configs?
-Yes
Then I should not make changes to thousands of configs, I am not allowed.
-No
Then I am interested but:

Do I have to copy a key from each of the thousands of devices to my linux client?
-no
Then could you tell me the exact name of this process so that I could search about the subject on google?
-Yes
Then, I am looking for a centralized management system, just like opening a SSH session with my username and password (the devices use tacacs)

Could you help be find a way to ask the password only once during the course of a user's session?
Thank you

Turbocapitalist · 09-08-2016, 02:05 PM

Quote:

Originally Posted by s-h-a-w-n

I am trying to understand what you say, but I am not familiar with the KEYs, I have to assume that you are asking me to get some Keys for every devices and put it in a directory in my linux client.

Yes. The public keys go on the remote device, the private keys go into a directory on your linux client.

Quote:

Originally Posted by s-h-a-w-n

The script exists because I have thousands of devices to navigate into, I need a centralized solution.

Most of them are Cisco IOs devices, not openssh, I can't mess with the routers and switch configs (I could but not on a large scale).

I've been able to avoid Cisco all these years but it does look like even they can do keys. That link and that of jpollard point to that ability even with Cisco.

Quote:

Originally Posted by s-h-a-w-n

I don't know if that makes sense, but I am trying to adapt to the tools that have been given to me and make my life easier.

It does but it is more common to offload as much onto the SSH client as possible. The configuration file (~/.ssh/config) can take care of the shortcuts, such as associating a custom user name with a particular remote device. The remaining questions are about whether you can use keys for authentication.

If you do the password approach (I think not recommended by anyone here), a barrier is that OpenSSH doesn't read the password from stdin. You'd have to use the utility "expect" or else try a kludge with a shell script and using the $SSH_ASKPASS variable to access that script. But I'd recommend very highly seeing if you can get keys going on the devices.

s-h-a-w-n · 09-08-2016, 02:41 PM

Ok, this is a clear answer, thank you.

So, the only option is to collect the private keys of all the hundreds of cisco devices individually and store a copy in my client... that's not practical.
Besides, i cannot create local users, I still need to authenticate through a tacacs server managed by the security team, so I guess that makes it impossible.

I have seen that in another forum, what do you think?:

Code:

#!/usr/bin/expect

spawn ssh MyUserName@192.168.20.20
expect "password"
send "MyPassword\r"
interact

Turbocapitalist · 09-08-2016, 02:56 PM

Quote:

Originally Posted by s-h-a-w-n

Ok, this is a clear answer, thank you.

So, the only option is to collect the private keys of all the hundreds of cisco devices individually and store a copy in my client... that's not practical.
Besides, i cannot create local users, I still need to authenticate through a tacacs server managed by the security team, so I guess that makes it impossible.

Using keys would work with the existing users and not necessitate the creation of local users. If the remote user is different from the local user, then you can set the User option in the configuration file to whatever the remote system needs. See the example earlier above.

Quote:

Originally Posted by s-h-a-w-n

I have seen that in another forum, what do you think?:

Code:

#!/usr/bin/expect

spawn ssh MyUserName@192.168.20.20
expect "password"
send "MyPassword\r"
interact

That is the "expect" utility.

jpollard · 09-08-2016, 05:38 PM

Quote:

Originally Posted by s-h-a-w-n

Ok, this is a clear answer, thank you.

So, the only option is to collect the private keys of all the hundreds of cisco devices individually and store a copy in my client... that's not practical.

NOT the private keys. The public keys. YOUR public key goes on the Cisco.

Quote:

Besides, i cannot create local users, I still need to authenticate through a tacacs server managed by the security team, so I guess that makes it impossible.

I have seen that in another forum, what do you think?:

Code:

#!/usr/bin/expect

spawn ssh MyUserName@192.168.20.20
expect "password"
send "MyPassword\r"
interact

Only if your "security team" will allow you to put all your passwords in cleartext...

It is a MOST insecure setup.