Re: [Expectperl-discuss] Executing consecutive commands

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Thu, Apr 18, 2002 at 11:56:57AM +0200, RGi...@a1... wrote:
>     You shouldn't use Expect for this. Putting passwords, especially 
> root passwords, into scripts in clear text can mean severe security 
> problems.  I strongly recommend using other means. For 'su', consider 
> switching to 'sudo', which gives you root access on a per-command and 
> per-user basis without the need to enter passwords. 'ssh'/'scp' can be 
> set up with RSA authentication without passwords. 'rsh' can use 
> the .rhost mechanism, but I'd strongly suggest to switch to 'ssh'; to 
> mention 'rsh' and 'security' in the same sentence makes an oxymoron.
> 
	Something I don't quite understand about this is that RSA
authentication only seems to check to see if you have a matching key and
password. That is to say, it doesn't seem to check to make sure the host you
are coming from is the one that matches your key. If you set up RSA w/ no
password, then all someone would need to do is copy your key to their machine
to gain access. This doesn't seem especially secure to me vs. any other
method, especially .shosts. Maybe this is just local configuration, but it
seems to be the default. Is there some way to turn on host checking that I
missed?
	The one thing about keeping cleartext passwords around that's good
is that the security implications are obvious. If you keep them in a 
file accessible only by yourself then someone would have to be either you
or root to gain access. If you combine that with tcp wrappers at the remote
end I'd say it's reasonably secure - though again probably not as good as
.shosts, which _does_ seem to check vs. ssh's known_hosts file to make sure
you're coming from the correct host.

	Austin