I have a conf file ,say 'pass.conf' ,which is storing ascii password : PASS1111.
I need to encrypt this password once and store it in a file.
I ,then need to write a script which would read this encrypted password and decrypts it.The o/p o this script shud be this decrypted password ,which i would get it set in an expect script.
I need some guidance on it as i am not exactly clear how to do it.
I know how to set password in expect script using 'exec'.
A password that's encrypted in a recoverable way, and decrypted right in the program there, is not much better than a plaintext password anyway. Try sudo instead of passwords, so you don't need to build gaping security holes into your software.
You are right in general but here i have a simple design.Encrypted password stored in a file,decrypted by my script and directly passed to expect script.Its not a robust design but satisfies what i must do now.
Link helps me understand the concept but does not help my situation.I wish to write a simple-to-moderate (complex) script to decrypt the encrypted password.
Requesting everyone to advise on how can this be done.
It's not that it's simple -- it's just wrong and can't be fixed by making it more complicated. No matter how many layers of encryption you paste on, anyone who sees your program can get the password at will. Just 'chmod -r' would be a lot more secure than this rube goldberg machine.
If you just want to hide the password from grepping, you could put it through base64...
# hackers don't read this file pretty please with sugar on top
MYPASSWORD=`echo "YWxqYWYK" | openssl base64 -d`
openssl has lots of ciphers, so I could make this more complicated, but the problem remains: anyone who views the file is handed the code to crack your password library on a silver platter. This scheme is not and cannot be secure. If I knew your actual goal in this, I could help you find ways with security beyond the illusory...
I was going to suggest that second approach, as Corona688 stated - better avoid encrypt/decrypt process, but rather cut down the rights on that machine, in terms of root access, make the file exclusively locked, and keep the password in plain text. Then, whenever a password has to be read by the expect script, chmod the file, temporarily, the script will parse the password, and then lock the file again. Unfortunately, expect/TCL doesn't bring much into security, its first purpose was to be convenient for automation, both local and remote, thus avoiding user interactions. I have a few very handy expect scripts available, but only on test machines with limited access - both virtual and physical.
We don't have enough information to help you. We at least need to know what you're feeding this password to, and perhaps your actual goal. This is important since we don't know what authentication methods are even available with what you're logging into.
