Solved

TTY ECHO issue with EXPECT script

Posted on 2004-03-24
15
1,703 Views
Last Modified: 2013-12-27
The following script works, BUT it echos the Passphrase and Password when it does the send.  The "stty -echo" works for hiding it while I input it... I but I don't want it to show when it is sent either.

--------- BEGIN SCRIPT -------
     #!/opt/sfw/bin/expect

     set prompt "(>|%|#|\\\$) $"

     stty -echo

     send_user "\nPassPhrase: "
     expect_user -re "(.*)\n"
     set passphrase $expect_out(1,string)

     send_user "\nPassword: "
     expect_user -re "(.*)\n"
     set password $expect_out(1,string)

     spawn ssh SOMEHOST
     expect passphrase
     send $passphrase\r
     expect "password:"
     send $password\r
     expect -re $prompt

     send "uname -a\r"

     expect eof
--------- END SCRIPT -------
0
Comment
Question by:stewbeast
  • 5
  • 4
  • 3
  • +2
15 Comments
 
LVL 48

Expert Comment

by:Tintin
Comment Utility
I assume the above script is just an example as it makes no sense to make it an expect script.
0
 
LVL 1

Author Comment

by:stewbeast
Comment Utility
Correct, the ultimate goal will be to just use my public key for the ssh auth ( which I already do ).. but this script will be altered slightly to actually do something more like "sudo vxdisk list".  And I wish to be able to pass my password in once and have it applied for sudo commands.  And since making test scripts that actually use sudo would be a bad itea for lotsa of reasons... I decided that the same issues could be resolved using a test script.  Bottom line here is I need to be able to protect passwords from prying eyes while I run administrative scripts.

If someone here wants to go the extra mile and help me with syntax for expect script that can loop through a simple file that lists hostnames to run this simple uname command or someting more elaborate.. and redirect/append the uname output to a local file ( i don't want out from al the other expect prompts and such ), I would might award a few hundred more points.  Since you would be saving me a day or 2 of playing around all by myself on this task.
0
 
LVL 48

Expert Comment

by:Tintin
Comment Utility
To turn echoing off, you need to use the system command, eg:

system stty -echo
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
why not using ssh-agent?
0
 
LVL 1

Author Comment

by:stewbeast
Comment Utility
ahoffman,

ssh=agent works fine. public key with not passphrase works fine... that is not the point.  I stated above... this is a dumb example script... the passphrase will never be used in the actual production script, but the password will because rather than a "uname" command that I used just for sake of doing SOMETHING I will actually be using sudo commands ( for which I WILL have to manually enter or pass a password to ).  There are over 1200 ( yes, 1thousand 2 hundred ) hosts that I need to perform tasks on, and running scripts that I must sudo gets rediculous at that point.  

There is no way I am gonna run test scripts ( which log everything I do in sudolog ) on hosts while I work through the clear echo issue.. hence the dumb test script that does work for the sake of work so I can test with it.

tintin,
I have not tried the "system stty -echo" ... as you can see from the above example , I have tried "stty -echo".  I will give it a stab on Monday your way.  As an interesting note.  I have seen the script run properly only once... I ran the script, it prompted me for password ( hidden as it should be ) then ran the ssh command and kept the passwords hiddden... WOW i thought, this is great... so I recalled the command from history and immediately ran it again... it kep password hidden when I typed them in as before, but them when running ssh command PLOP, there it was again... passed it in AND displayed it. *sigh*
Third and fourth ( for sanity) where the same bad result.
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
if you use a ssh key and ssh-agent, you just start ssh-agent once and give the passphrase there
then simple do
  ssh root@1of1200 your-command
0
 
LVL 1

Author Comment

by:stewbeast
Comment Utility
ahoffman, it is not about using ssh, I know how to do that... I already use the agent for my passphrase and keys, I purposely removed my key from authorized_keys2 on a dev box so that I could test expect with hiding info that I prompted for and then use "send" to send that info to "expect" pattern matches and still keep it hidden.  I appreciate your responses... but I need to focus on the expect aspect of it all.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 48

Expert Comment

by:Tintin
Comment Utility
Have you tried the

system stty -echo

yet?
0
 
LVL 1

Author Comment

by:stewbeast
Comment Utility
I have not tried it yet, I will try in the morning. Thanks
0
 
LVL 1

Author Comment

by:stewbeast
Comment Utility
OK, I just tried "system stty -echo" at beginning and "system stty echo" at end.  There are no syntax errors or anything with preceeding the stty command with "system" but the result is that same.  It still echos my password to the scren when it answers the expected prompt.
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
move the   stty -echo   command right after your   spawn ssh   command
If this does not help, try also
   stty -echo < [exec tty]
0
 
LVL 48

Expert Comment

by:Tintin
Comment Utility
Hmm.

It's a bit of a strange one.

If you look at http://rootprompt.org/article.php3?article=5760  you'll see the expect script there is asking for the password in pretty much the same way you originally tried.
0
 
LVL 5

Expert Comment

by:Droby10
Comment Utility
expect has no control over whether the password is printed to tty or not in this case, it's being sent to stdin for the application not the device.  what you are seeing is more dependent on the echoing nature of the application (err state of the application) being run.  something tells me your send password is out of sync with the ssh process password prompt.  you might try a shortened version (just the login process, hardcoded values) just to verify, throw in a few sleeps and send_users to observe/debug when events occur.

--------- BEGIN SCRIPT -------
     #!/opt/sfw/bin/expect
     set prompt "(>|%|#|\\\$) $"

     set passphrase "SOMEPASSPHRASE"
     set password "SOMEPASSWORD"

     spawn ssh SOMEHOST
     expect "passphrase"
     send_user "I got passphrased\n"
     sleep 2
     send "$passphrase\r"

     expect "password:"
     send_user "I got passworded\n"
     sleep 2
     send "$password\r"
     interact
     expect eof
--------- END SCRIPT -------

you might also try moving interact just below the expect "password:" line, and manually entering the password - if it echos back then you can at least see where it's attempting to enter this.
0
 
LVL 5

Accepted Solution

by:
Netminder earned 0 total points
Comment Utility
PAQed - no points refunded (of 500)

Netminder
EE Admin
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

In tuning file systems on the Solaris Operating System, changing some parameters of a file system usually destroys the data on it. For instance, changing the cache segment block size in the volume of a T3 requires that you delete the existing volu…
I promised to write further about my project, and here I am.  First, I needed to setup the Primary Server.  You can read how in this article: Setup FreeBSD Server with full HDD encryption (http://www.experts-exchange.com/OS/Unix/BSD/FreeBSD/A_3660-S…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now