mike909 |
11-01-2011 06:42 PM |
expect script using gpg decrypted file as variable
I'm trying to automate a login to a device (which does not accept key authentication), using expect, but keeping it secure by encrypting my password with the seahorse (or gpg) agent.
"gpg --decrypt --quiet --batch my_file" sends the decyrpted file's contents, in this case my password, to stdout. So I need to have an expect script that basically does the following:
1. expects to see: Password
2. uses the output of "gpg --decrypt" as a variable
3. sends that variable and hits enter, to complete the log in.
This would give me automated log-in, without storing my password in cleartext.
Here is what I have so far (note: expect -d for debugging output) for testing logging in to localhost with a test user/pass:
Code:
#!/usr/bin/expect -d
set prompt "$ " ;# our shell or whatever prompt we have
set command "gpg --decrypt --quiet --batch /home/mike/bla.pgp"
spawn bash ;# spawn the bash
expect "$prompt" ;# wait for prompt
send "$command\r" ;# send command
expect "$command\r" ;# discard command echo
expect -re "(.*)\r" ;# match and save the result
set password "$command"
spawn ssh test@127.0.0.1
sleep 1
expect "password: "
sleep 1
send "$password\n"
interact
And here is the results of the script:
Quote:
mike@mike-ubu-test:~$ ./test.sh
expect version 5.44.1.15
argv[0] = /usr/bin/expect argv[1] = -d argv[2] = ./test.sh
set argc 0
set argv0 "./test.sh"
set argv ""
executing commands from command file ./test.sh
spawn bash
parent: waiting for sync byte
parent: telling child to go ahead
parent: now unsynchronized from child
spawn: returns {9932}
expect: does "" (spawn_id exp6) match glob pattern "$ "? no
mike@mike-ubu-test:~$
expect: does "\u001b]0;mike@mike-ubu-test: ~\u0007mike@mike-ubu-test:~$ " (spawn_id exp6) match glob pattern "$ "? yes
expect: set expect_out(0,string) "$ "
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) "\u001b]0;mike@mike-ubu-test: ~\u0007mike@mike-ubu-test:~$ "
send: sending "gpg --decrypt --quiet --batch /home/mike/bla.pgp\r" to { exp6 }
expect: does "" (spawn_id exp6) match glob pattern "gpg --decrypt --quiet --batch /home/mike/bla.pgp\r"? no
gpg --decrypt --quiet --batch /home/mike/bla.pgp
expect: does "gpg --decrypt --quiet --batch /home/mike/bla.pgp\r\n" (spawn_id exp6) match glob pattern "gpg --decrypt --quiet --batch /home/mike/bla.pgp\r"? yes
expect: set expect_out(0,string) "gpg --decrypt --quiet --batch /home/mike/bla.pgp\r"
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) "gpg --decrypt --quiet --batch /home/mike/bla.pgp\r"
'. Activating booster.rn for '(.*)
expect: does "\n" (spawn_id exp6) match regular expression "(.*)\r"? Gate "*\r"? gate=no
test
mike@mike-ubu-test:~$
expect: does "\ntest\r\n\u001b]0;mike@mike-ubu-test: ~\u0007mike@mike-ubu-test:~$ " (spawn_id exp6) match regular expression "(.*)\r"? Gate "*\r"? gate=yes re=yes
expect: set expect_out(0,string) "\ntest\r"
expect: set expect_out(1,string) "\ntest"
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) "\ntest\r"
spawn ssh test@127.0.0.1
parent: waiting for sync byte
parent: telling child to go ahead
parent: now unsynchronized from child
spawn: returns {9953}
expect: does "" (spawn_id exp7) match glob pattern "password: "? no
test@127.0.0.1's password:
expect: does "test@127.0.0.1's password: " (spawn_id exp7) match glob pattern "password: "? yes
expect: set expect_out(0,string) "password: "
expect: set expect_out(spawn_id) "exp7"
expect: set expect_out(buffer) "test@127.0.0.1's password: "
send: sending "gpg --decrypt --quiet --batch /home/mike/bla.pgp\n" to { exp7 }
tty_raw_noecho: was raw = 0 echo = 1
spawn id exp7 sent <\r\n>
spawn id exp7 sent <Permission denied, please try again.\r\r\ntest@127.0.0.1's password: >
Permission denied, please try again.
test@127.0.0.1's password: spawn id exp0 sent <\r>
spawn id exp7 sent <\r\nPermission denied, please try again.\r\r\ntest@127.0.0.1's password: >
Permission denied, please try again.
test@127.0.0.1's password: spawn id exp0 sent <\r>
spawn id exp7 sent <\r\nPermission denied (publickey,password).\r\r\n>
Permission denied (publickey,password).
interact: received eof from spawn_id exp7
tty_set: raw = 0, echo = 1
tty_set: raw = 5, echo = 0
|
Expect is sending output to the prompt, just not the contents of the decrypted file (bla.pgp).
|