I haven't been able to find any info to encrypt the passwords in scripts yet. I thought that is supposed to be possible with V6.5

How do I encrypt a plain text password located within a script so that it is not seen when someone opens the script ?

Thanks
cr1275

Hello cr1275,

The feature that was added in SecureCRT 6.5 is the /ENCRYPTEDPASSWORD command line option.

This option provides the ability to specify a password in an encrypted form.

If this is the functionality you are seeking, please contact us at support@vandyke.com and include "Forum Thread #4711" and we can provide further details.

Where is the functionality in 6.5.3 to use encrypted passwords documented?

Hi jtymann,

The functionality referenced in this thread is referring to using a password that is saved in a session.

You can find the documentation on this in the Using the Software / Command-Line Options / Table of Protocol Specific Command-Line Options. This option is available to SSH1/SSH2 ad hoc sessions.

Does this help to answer your question?

I originally posted my request not for sessions. I wanted to know how to encrypt passwords in a script not a session.

I have not gotten that far to test it yet. However, there is another thread that suggests using Windows Script Encoder with instructions.

I guess the question is ?

How do we encode passwords in a SecureCRT Script. It is very dangerous to have plain text passwords or even user names on a local PC in scripts that run in SecureCRT.

Does the Windows Script Encoder method still work and is it supported ? Is there some other method in SecureCRT.

This looks promising but not sure where to look for info on it or how to use it:
- The script functions SetOption and GetOption now allow encrypted
passwords to be used in a script.

The biggie is encoding passwords or user names thay may be in a script.

A Prime example would be a script like this to change users:
crt.Screen.Send "su - me" & chr(13)
crt.Screen.WaitForString "word: "
crt.Screen.Send "mypassword" & chr(13)
crt.Screen.WaitForString "$"

Of course you would not want the password "mypassword" hanging around on your PC. Even having the user could compromise security. What if your HD is stolen ?

Using a password and user name field in a dialog masks the user and password on screen if they are already filled in. However, the information is still in plain text in the script.

Thanks
cr1275

Hi cr1275,

Thanks for the clarification of what you want to do. We agree that it is not a best practice to leave plain text passwords on a computer. Because of this we recommend using publickey authentication when scripting.

SecureCRT does not have an API to encode/encrypt scripts. I am not sure if the Windows Script Encoder is or was ever supported by Microsoft, but we have been able to successfully use it.

I have created a feature request in our SecureCRT development database to add the capability to encode a script to SecureCRT. Should a future release of SecureCRT have this capability we will post to this forum thread. If you would like to be notified directly, please complete and submit the form at the following location:
Submit Feature Request (https://secure.vandyke.com/cgi-bin/customer_form.php?cft=feature)
I am investigating the SetOption and GetOption methods and will post what I find.

Hi cr1275,

I have found that it is possible to get and set encrypted passwords. It is necessary to save the password via the SecureCRT GUI prior getting the password. It is not possible to take a plain text password and save it in encrypted format using the SetOption and GetOption methods.

After giving more thought to your stolen hard drive dilemma, I would say that there is no safe way to protect your passwords. If you can access the remote devices via SecureCRT, then any thief can do the same. This is why we do not recommend saving passwords. Further, it is not safe to use a public-key without a passphrase.

It is possible to protect a passphrase protected public-key using vkeygen (which is a command-line client in ClientPack). This protection would prevent a thief from accessing the remotes unless they could logon to the hard drive as you.

Does this sound like something that might meet your needs?

Thanks for the reply. As stated I am looking to encode only passwords or usernames in a script.

I think the feature request will do the trick ?

You cannot use Public Key authentication when changing to a user after already connected like in the script I posted. Did I miss something there ? Please note that would be an account used by many others too.

It is totally related to users and passwords in a SCT script that is run after connecting.

It is great to fill in users and passwords in a script so that people only have to hit enter. However, in the script itself those passwords and user names are all plain text.

One solution would be not to fill in the information in a script. That is a big nuisance though because then you force people to do more work to lookup passwords and usernames for a quick tool.

The other faster for users solution would be to encode that info so that passwords or usernames cannot be determined by opening up the script.

Thanks

Hi cr1275,

Thanks for the update. I would like to clarify. Are you saying that you no longer want to encode the entire script, and would rather have the ability to encode a string of data (password or username) that can only be decoded by the Send method of the Screen object?

Neither option is secure, but it seems like encoding the entire script may be *more* secure than just the string.

Sorry if I confused you. Yes I would like to encode the whole script.

The windows script encoder does seem to work however having the ability in SecureCRT would be much better though since you never know when MS will drop support for it and it is also a hassle to use a seperate program.

Thanks

Hi cr1275,

Thanks for the confirmation. We will post to this forum thread if a future release of SecureCRT has the ability to encode an entire script.

Hi,

Could you please post how you could use the GetOption API call to actually use the password retrieved? When I retrieve the password and display it in a MsgBox it shows a long string of what I presume is the encrypted password. However, if I need to be able to pass that string into a host to connect, how could I do that? Surely the host will reject the password?

Thanks,
Tom

Hi Tom,

Thanks for the question. SecureCRT does not have an API object, method or property that allows one to get at the unencrypted form of a password that is stored in a session .ini file.

Here is an example that would allow you to save a password in a session .ini file, and then use that password to connect to a remote:
set Config = crt.OpenSessionConfiguration("<session name>")
crt.Session.Connect "/SSH2 /ENCRYPTEDPASSWORD " & Config.GetOption("Password") & " <username>@<hostname>", True
A form of this example is located in the help file under the Scripting / Script Objects Reference / Session Object chapter.

Does this information help you accomplish your goal?

Thanks for your reply Todd, but unfortunately this doesn't help.

I work in an environment where we have to connect to bastion hosts in order to connect to devices. They are also a little unnerved by the idea of having plain-text usernames/passwords sitting in scripts too.

We open SCRT manually as usual and select the bastion host session to connect to, which automatically calls our logon script. It is within this script that all our magic happens!

The script chooses the connect to host option and prompts the user for a hostname to connect to, and once that is supplied it uses credentials stored in the script in order to automatically connect to the host given.

So, your solution would enable me to be able to connect to the bastion automatically, but then I can do that anyway using the stored password for the session.

My ideal situation would be something like as follows:

- Van Dyke provide a complementary tool alongside SCRT which simple prompts for a string and then provides an encrypted version of the string back to the user.
- The user/script author can then paste the encrypted password into the script, e.g:

strUsername = crt.String.Encrypted "hereismyencryptedusername"
strPassword = crt.String.Encrypted "hereismyencryptedpassword"

Then at runtime when strUsername and strPassword are compiled the API can decrypt them on the fly.

Does this sound feasible? I understand that the user could still opt to show strUsername or strPassword in plain view via a MsgBox or similar, but at least it means that plain-text usernames and passwords are not sitting in plain view of a casual user.

Thanks,
Tom

Failing the above, I would second a way in which the whole script could be encrypted so that it cannot be casually viewed.

Hi Tom,

Thanks for the additional information. I can see how the example will not work if you are using a different client once connected to the bastion host. If you are using SecureCRT via an SSH2 port forward, then the example should work.

With regards to your suggestion, it sounds like you are sending a connection string that includes a password using the Send method. If this is the case, it seems like being able to use the /ENCRYPTEDPASSWORD option with the Send method would be helpful. Is this correct?

Hi Todd,

If you mean use /ENCRYPTEDPASSWORD with the crt.Screen.Send method then yes that would be great.

Thanks,
Tom

Hi Tom,

Thanks for the confirmation. I did mean the Send method that is a part of the Screen object. I have created a feature request to add the ability to use /ENCRYPTEDPASSWORD with the Send method. I have also added your request to the feature to be able to encrypt an entire script. Should either feature be implemented in a future release of SecureCRT, we will post to this forum thread.

If you would like to be notified directly, please complete and submit the form at the following location:
Submit Feature Request (https://secure.vandyke.com/cgi-bin/customer_form.php?cft=feature)

I did realize that it was uncomfortable to have cleartext usernames and passwords saved in a config file, so I had my script prompt me for my username and password (and enable password for Cisco switches). It would only ask me the once and then connect to all of the switches I specified using the same credentials.

It's not precisely click-and-go, but I definitely feel more secure knowing that my passwords are stored anywhere.

Let me know if you'd like snippets of my code. :)

Hi,
In my office, we are using an Excel file to generate all the sessions .ini files.

Today, I have to generate once the password to have its encrypted version.

I can't find out how the passwords and Login Script V2 strings are encrypted.

As the result of encryption changes everytime we save it, I assume it could be something like that :

sha1("password"+"timestamp").


Do you have any idea of the function used?

Regards

bob972

Hi bob972,

It is not currently possible to programmatically set expect/send sequences. I have created a feature request in our SecureCRT development database to add this capability. Should a future release of SecureCRT have this capability, we will post to this thread.

If you would like to be notified directly, please complete and submit the form at the following location:
Submit Feature Request (https://secure.vandyke.com/cgi-bin/customer_form.php?cft=feature)

Hi Todd,
Thanks for your answer.
I don't think it's a about SecureCRT new feature.

I was wondering how SecureCRT encrypts passwords when they are saved in the .ini files. This feature is already available.

Regards,
bob972

Hi bob972,

I created a feature request because you initially indicated that you were using session .ini files generated from an Excel file.

My expectation was that you wanted to set the logon actions section as you are creating the ini files. It is not currently possible to programmatically set the contents of a logon script in the Logon Actions section of the Session Options dialog. It is possible to programmatically set a password.

If you were not asking your question in relation to creating ini files, but for general knowledge, we cannot disclose details about the algorithms used to keep sensitive user data confidential.