Password encryption

vasanth.easyrider has asked for the wisdom of the Perl Monks concerning the following question:

Hi Perl Monks

I have written the following perl code which connects to a router and executes one command. If you look at the perl script, i have hardcoded username and password credentials used to connect to device. I want to encrypt the password in my perl script.

Can anyone of you suggest as to how this can be achieved

#!/usr/bin/perl
#loading all the required modules
use strict;
use warnings;
use DBI;
use Net::OpenSSH;

$host = q(202.123.43.17);
$hostname = q(TVM-ISP-ACC-SWH-190);
$username = q(netcool);
$password = q(Hello@123);

eval
{
    $ssh = Net::OpenSSH->new($host, user => $username, password => $pa
+ssword, timeout => 10);
    @output = $ssh->capture("admin show environment leds") or die "rem
+ote command failed: " . $ssh->error;
    print LOG "output of command = @output\n";
};
if($@)
{
    print LOG "since we got error w.r.t shell prompt for the IP $host,
+ we are proceeding with next device\n";
    next;
}
[download]

how to encrypt password and use it in Netopen::SSH module

Comment on Password encryption Download Code

Replies are listed 'Best First'.
Re: Password encryption by hippo (Bishop) on Sep 26, 2018 at 08:08 UTC
See the FAQ How can I hide the source for my Perl program? for a discussion of the futility of using encryption in the source as a security measure. If your running script can decrypt the password so can anyone else who reads the source. Since you are using SSH anyway you might consider using its built-in asymmetric key auth instead.	[reply]
Re: Password encryption by talexb (Chancellor) on Sep 27, 2018 at 04:08 UTC
Putting authentication information in a separate file is the way to go. My client's authentication information is stored in modules that are stored in a location separate from all of the code, which means it's easy to check all of the non-authentication code into github (in private repositories), safe in the knowledge that there's no confidential information stored off-site. Alex / talexb / Toronto Thanks PJ. We owe you so much. Groklaw -- RIP -- 2003 to 2013.	[reply]
Re: Password encryption by Aldebaran (Curate) on Sep 26, 2018 at 20:35 UTC
I exported such values to a module, but now I use the Tiny family to have them in a location which is not my script nor anywhere near perl development. I use Config::Tiny and Path::Tiny to create an .ini file: $ ./2.initialize.pl $VAR1 = bless( { 'my_sftp' => { 'username' => 'netcool', 'domain' => '202.123.43.17', 'password' => 'Hello@123' } }, 'Config::Tiny' ); created /home/bob/Documents/html_template_data/5.example.ini $ cat /home/bob/Documents/html_template_data/5.example.ini [my_sftp] domain=202.123.43.17 password=Hello@123 username=netcool $ cat 2.initialize.pl #!/usr/bin/perl -w ###### ## USER: start here. ## The values you will need to populate to create a proper ini file ar +e here. ## Change the ones you need to. You shouldn't have to change any of th +e ## lexical perl. The most these example data will be is irrelevant. ###### use 5.011; use Data::Dumper; use Path::Tiny; use Config::Tiny; use constant { ENCODING => 'utf8' }; my %config = ( my_sftp => { domain => '202.123.43.17', username => 'netcool', password => 'Hello@123', }, ); 1; my $ini_file = "5.example.ini"; my $ref_config = \%config; my $ini_path = path( "/home/bob/Documents/html_template_data", $ini_fi +le ); ## USER make path here^^^^^appropriate for your machine my $ini = bless $ref_config, 'Config::Tiny'; say Dumper $ref_config; # this will clobber any previous file of same name $ini->write( $ini_path, ENCODING ); say 'created ', $ini_path; __END__ $ [download] Then when you want to create an sftp object, you call the values back: $ ./3.sftp1.pl upload_file ini path is /home/bob/Documents/html_template_data/5.example.ini $VAR1 = bless( { 'my_sftp' => { 'password' => 'Hello@123', 'domain' => '202.123.43.17', 'username' => 'netcool' } }, 'Config::Tiny' ); values are 202.123.43.17 netcool Hello@123 ^C $ cat 3.sftp1.pl #!/usr/bin/perl -w use 5.011; use Net::SFTP::Foreign; my $upload_file = shift; my $sftp = get_tiny(); my $server_dir = "perlmonks/scripts"; $sftp->mkdir("/$server_dir") or warn "mkdir1 failed $!\n"; $sftp->setcwd("/$server_dir") or warn "setcwd1 failed $!\n"; $sftp->put($upload_file) or warn "upload put failed $!\n"; my $remote_dir = $sftp->cwd; say "remote dir is $remote_dir"; my $ls = $sftp->ls( $remote_dir); print "$_->{filename}\n" for (@$ls); undef $sftp; sub get_tiny { use 5.011; use warnings; use Net::SFTP::Foreign; use Config::Tiny; use Data::Dumper; my $ini_path = qw( /home/bob/Documents/html_template_data/5.example. +ini ); say "ini path is $ini_path"; my $sub_hash = "my_sftp"; my $Config = Config::Tiny->new; $Config = Config::Tiny->read( $ini_path, 'utf8' ); say Dumper $Config; # -> is optional between brackets my $domain = $Config->{$sub_hash}{'domain'}; my $username = $Config->{$sub_hash}{'username'}; my $password = $Config->{$sub_hash}{'password'}; #dial up the server say "values are $domain $username $password"; my $sftp = Net::SFTP::Foreign->new( $domain, user => $username, password => $password, ) or die "Can't connect: $!\n"; return $sftp; } __END__ $ [download] I'm not sure how different forms of sftp'ng are in terms of security. You could go the next step and encrypt the .ini file if you think you need such measures. Hope this helps....	[reply] [d/l] [select]
Re: Password encryption by pDaleC (Sexton) on Sep 26, 2018 at 16:02 UTC
Sounds like you're going to put this script "somewhere else" to be run by "someone else"? We have jobs run on a utility server using a service account, and only accessible by trusted employees. We'll put sensitive information in configuration files on the server, where the "unworthy" cannot get to it.	[reply]
Re^2: Password encryption by Anonymous Monk on Sep 26, 2018 at 19:44 UTC
I second this, most places have special fake users with SSH keys already setup to run cron jobs, this is the most secure way to do it.	[reply]


Keep It Simple, Stupid
	PerlMonks