|
#1
12-25-2009, 03:16 PM
|
|||
|
|||
|
Encrytping Passwords in Scripts
I haven't been able to find any info to encrypt the passwords in scripts yet. I thought that is supposed to be possible with V6.5
How do I encrypt a plain text password located within a script so that it is not seen when someone opens the script ? Thanks cr1275 
|
|
#2
12-26-2009, 10:04 AM
|
|||
|
|||
|
Hello cr1275,
The feature that was added in SecureCRT 6.5 is the /ENCRYPTEDPASSWORD command line option. This option provides the ability to specify a password in an encrypted form. If this is the functionality you are seeking, please contact us at support@vandyke.com and include "Forum Thread #4711" and we can provide further details.
__________________
Thanks, --Brenda VanDyke Software Technical Support support@vandyke.com (505) 332-5730
|
|
#4
07-12-2010, 01:59 PM
|
|||
|
|||
|
Hi jtymann,
The functionality referenced in this thread is referring to using a password that is saved in a session. You can find the documentation on this in the Using the Software / Command-Line Options / Table of Protocol Specific Command-Line Options. This option is available to SSH1/SSH2 ad hoc sessions. Does this help to answer your question?
|
|
#5
07-27-2010, 10:36 PM
|
|||
|
|||
|
I originally posted my request not for sessions. I wanted to know how to encrypt passwords in a script not a session.
I have not gotten that far to test it yet. However, there is another thread that suggests using Windows Script Encoder with instructions. I guess the question is ? How do we encode passwords in a SecureCRT Script. It is very dangerous to have plain text passwords or even user names on a local PC in scripts that run in SecureCRT. Does the Windows Script Encoder method still work and is it supported ? Is there some other method in SecureCRT. This looks promising but not sure where to look for info on it or how to use it: - The script functions SetOption and GetOption now allow encrypted passwords to be used in a script. The biggie is encoding passwords or user names thay may be in a script. A Prime example would be a script like this to change users: crt.Screen.Send "su - me" & chr(13) crt.Screen.WaitForString "word: " crt.Screen.Send "mypassword" & chr(13) crt.Screen.WaitForString "$" Of course you would not want the password "mypassword" hanging around on your PC. Even having the user could compromise security. What if your HD is stolen ? Using a password and user name field in a dialog masks the user and password on screen if they are already filled in. However, the information is still in plain text in the script. Thanks cr1275
|
|
#6
07-28-2010, 08:01 AM
|
|||
|
|||
|
Hi cr1275,
Thanks for the clarification of what you want to do. We agree that it is not a best practice to leave plain text passwords on a computer. Because of this we recommend using publickey authentication when scripting. SecureCRT does not have an API to encode/encrypt scripts. I am not sure if the Windows Script Encoder is or was ever supported by Microsoft, but we have been able to successfully use it. I have created a feature request in our SecureCRT development database to add the capability to encode a script to SecureCRT. Should a future release of SecureCRT have this capability we will post to this forum thread. If you would like to be notified directly, please complete and submit the form at the following location: Submit Feature RequestI am investigating the SetOption and GetOption methods and will post what I find.
|
|
#7
07-28-2010, 09:56 AM
|
|||
|
|||
|
Hi cr1275,
I have found that it is possible to get and set encrypted passwords. It is necessary to save the password via the SecureCRT GUI prior getting the password. It is not possible to take a plain text password and save it in encrypted format using the SetOption and GetOption methods. After giving more thought to your stolen hard drive dilemma, I would say that there is no safe way to protect your passwords. If you can access the remote devices via SecureCRT, then any thief can do the same. This is why we do not recommend saving passwords. Further, it is not safe to use a public-key without a passphrase. It is possible to protect a passphrase protected public-key using vkeygen (which is a command-line client in ClientPack). This protection would prevent a thief from accessing the remotes unless they could logon to the hard drive as you. Does this sound like something that might meet your needs?
|
|
#8
07-29-2010, 11:49 PM
|
|||
|
|||
|
Thanks for the reply. As stated I am looking to encode only passwords or usernames in a script.
I think the feature request will do the trick ? You cannot use Public Key authentication when changing to a user after already connected like in the script I posted. Did I miss something there ? Please note that would be an account used by many others too. It is totally related to users and passwords in a SCT script that is run after connecting. It is great to fill in users and passwords in a script so that people only have to hit enter. However, in the script itself those passwords and user names are all plain text. One solution would be not to fill in the information in a script. That is a big nuisance though because then you force people to do more work to lookup passwords and usernames for a quick tool. The other faster for users solution would be to encode that info so that passwords or usernames cannot be determined by opening up the script. Thanks
|
|
#9
07-30-2010, 10:17 AM
|
|||
|
|||
|
Hi cr1275,
Thanks for the update. I would like to clarify. Are you saying that you no longer want to encode the entire script, and would rather have the ability to encode a string of data (password or username) that can only be decoded by the Send method of the Screen object? Neither option is secure, but it seems like encoding the entire script may be *more* secure than just the string.
|
|
#10
07-30-2010, 04:52 PM
|
|||
|
|||
|
Sorry if I confused you. Yes I would like to encode the whole script.
The windows script encoder does seem to work however having the ability in SecureCRT would be much better though since you never know when MS will drop support for it and it is also a hassle to use a seperate program. Thanks
|
|
#11
08-02-2010, 07:04 AM
|
|||
|
|||
|
Hi cr1275,
Thanks for the confirmation. We will post to this forum thread if a future release of SecureCRT has the ability to encode an entire script.
|
|
#12
06-02-2011, 04:11 AM
|
|||
|
|||
|
Hi,
Could you please post how you could use the GetOption API call to actually use the password retrieved? When I retrieve the password and display it in a MsgBox it shows a long string of what I presume is the encrypted password. However, if I need to be able to pass that string into a host to connect, how could I do that? Surely the host will reject the password? Thanks, Tom
|
|
#13
06-02-2011, 07:31 AM
|
|||
|
|||
|
Hi Tom,
Thanks for the question. SecureCRT does not have an API object, method or property that allows one to get at the unencrypted form of a password that is stored in a session .ini file. Here is an example that would allow you to save a password in a session .ini file, and then use that password to connect to a remote: Code:
set Config = crt.OpenSessionConfiguration("<session name>")
crt.Session.Connect "/SSH2 /ENCRYPTEDPASSWORD " & Config.GetOption("Password") & " <username>@<hostname>", True
Does this information help you accomplish your goal?
|
|
#14
06-02-2011, 07:57 AM
|
|||
|
|||
|
Thanks for your reply Todd, but unfortunately this doesn't help.
I work in an environment where we have to connect to bastion hosts in order to connect to devices. They are also a little unnerved by the idea of having plain-text usernames/passwords sitting in scripts too. We open SCRT manually as usual and select the bastion host session to connect to, which automatically calls our logon script. It is within this script that all our magic happens! The script chooses the connect to host option and prompts the user for a hostname to connect to, and once that is supplied it uses credentials stored in the script in order to automatically connect to the host given. So, your solution would enable me to be able to connect to the bastion automatically, but then I can do that anyway using the stored password for the session. My ideal situation would be something like as follows: - Van Dyke provide a complementary tool alongside SCRT which simple prompts for a string and then provides an encrypted version of the string back to the user. - The user/script author can then paste the encrypted password into the script, e.g: Code:
strUsername = crt.String.Encrypted "hereismyencryptedusername" strPassword = crt.String.Encrypted "hereismyencryptedpassword" Does this sound feasible? I understand that the user could still opt to show strUsername or strPassword in plain view via a MsgBox or similar, but at least it means that plain-text usernames and passwords are not sitting in plain view of a casual user. Thanks, Tom
|
|
#15
06-02-2011, 08:00 AM
|
|||
|
|||
|
Failing the above, I would second a way in which the whole script could be encrypted so that it cannot be casually viewed.
|
 |
| Thread Tools | |
| Display Modes | Rate This Thread |
|
|
Linear Mode
