Encrytping Passwords in Scripts

[cr1275]

I haven't been able to find any info to encrypt the passwords in scripts yet. I thought that is supposed to be possible with V6.5

How do I encrypt a plain text password located within a script so that it is not seen when someone opens the script ?

Thanks
cr1275

[bgagnon]

Hello cr1275,

The feature that was added in SecureCRT 6.5 is the /ENCRYPTEDPASSWORD command line option.

This option provides the ability to specify a password in an encrypted form.

If this is the functionality you are seeking, please contact us at support@vandyke.com and include "Forum Thread #4711" and we can provide further details.

[jtymann]

Where is the functionality in 6.5.3 to use encrypted passwords documented?

[rtb]

Hi jtymann,

The functionality referenced in this thread is referring to using a password that is saved in a session.

You can find the documentation on this in the Using the Software / Command-Line Options / Table of Protocol Specific Command-Line Options. This option is available to SSH1/SSH2 ad hoc sessions.

Does this help to answer your question?

[cr1275]

I originally posted my request not for sessions. I wanted to know how to encrypt passwords in a script not a session.

I have not gotten that far to test it yet. However, there is another thread that suggests using Windows Script Encoder with instructions.

I guess the question is ?

How do we encode passwords in a SecureCRT Script. It is very dangerous to have plain text passwords or even user names on a local PC in scripts that run in SecureCRT.

Does the Windows Script Encoder method still work and is it supported ? Is there some other method in SecureCRT.

This looks promising but not sure where to look for info on it or how to use it:
- The script functions SetOption and GetOption now allow encrypted
passwords to be used in a script.

The biggie is encoding passwords or user names thay may be in a script.

A Prime example would be a script like this to change users:
crt.Screen.Send "su - me" & chr(13)
crt.Screen.WaitForString "word: "
crt.Screen.Send "mypassword" & chr(13)
crt.Screen.WaitForString "$"

Of course you would not want the password "mypassword" hanging around on your PC. Even having the user could compromise security. What if your HD is stolen ?

Using a password and user name field in a dialog masks the user and password on screen if they are already filled in. However, the information is still in plain text in the script.

Thanks
cr1275

[rtb]

Hi cr1275,

Thanks for the clarification of what you want to do. We agree that it is not a best practice to leave plain text passwords on a computer. Because of this we recommend using publickey authentication when scripting.

SecureCRT does not have an API to encode/encrypt scripts. I am not sure if the Windows Script Encoder is or was ever supported by Microsoft, but we have been able to successfully use it.

I have created a feature request in our SecureCRT development database to add the capability to encode a script to SecureCRT. Should a future release of SecureCRT have this capability we will post to this forum thread. If you would like to be notified directly, please complete and submit the form at the following location:

Submit Feature Request

I am investigating the SetOption and GetOption methods and will post what I find.

[rtb]

Hi cr1275,

I have found that it is possible to get and set encrypted passwords. It is necessary to save the password via the SecureCRT GUI prior getting the password. It is not possible to take a plain text password and save it in encrypted format using the SetOption and GetOption methods.

After giving more thought to your stolen hard drive dilemma, I would say that there is no safe way to protect your passwords. If you can access the remote devices via SecureCRT, then any thief can do the same. This is why we do not recommend saving passwords. Further, it is not safe to use a public-key without a passphrase.

It is possible to protect a passphrase protected public-key using vkeygen (which is a command-line client in ClientPack). This protection would prevent a thief from accessing the remotes unless they could logon to the hard drive as you.

Does this sound like something that might meet your needs?

[cr1275]

Thanks for the reply. As stated I am looking to encode only passwords or usernames in a script.

I think the feature request will do the trick ?

You cannot use Public Key authentication when changing to a user after already connected like in the script I posted. Did I miss something there ? Please note that would be an account used by many others too.

It is totally related to users and passwords in a SCT script that is run after connecting.

It is great to fill in users and passwords in a script so that people only have to hit enter. However, in the script itself those passwords and user names are all plain text.

One solution would be not to fill in the information in a script. That is a big nuisance though because then you force people to do more work to lookup passwords and usernames for a quick tool.

The other faster for users solution would be to encode that info so that passwords or usernames cannot be determined by opening up the script.

Thanks

[rtb]

Hi cr1275,

Thanks for the update. I would like to clarify. Are you saying that you no longer want to encode the entire script, and would rather have the ability to encode a string of data (password or username) that can only be decoded by the Send method of the Screen object?

Neither option is secure, but it seems like encoding the entire script may be *more* secure than just the string.

[cr1275]

Sorry if I confused you. Yes I would like to encode the whole script.

The windows script encoder does seem to work however having the ability in SecureCRT would be much better though since you never know when MS will drop support for it and it is also a hassle to use a seperate program.

Thanks

[rtb]

Hi cr1275,

Thanks for the confirmation. We will post to this forum thread if a future release of SecureCRT has the ability to encode an entire script.