From entropy@bernstein.com Mon Nov 27 19:45:22 1995 Path: dove.nist.gov!uunet!in2.uu.net!news.ios.com!news2.ios.com!wax.bernstein.com!entropy From: entropy@bernstein.com (maximum entropy) Newsgroups: comp.security.unix Subject: A new version of srlogin/stelnet Followup-To: comp.security.unix Date: 19 Nov 1995 09:48:47 GMT Organization: Internet Online Services Lines: 115 Distribution: world Message-ID: NNTP-Posting-Host: ns.bernstein.com Greetings... For those of you that use S/Key on a regular basis, I'm releasing a modified version of the srlogin/stelnet expect script. Name it srlogin or stelnet and give it execute permission. It will automatically prompt for your s/key passhphrase when it is needed, to eliminate the hassle of cutting and pasting or manually typing the one time password. It's very short, so I'm including it here. It will also be available at ftp://honey.bernstein.com/pub/entropy/security/stelnet.gz Cheers, entropy --- snip --- #!/usr/local/bin/expect # # login via skey # Call this script 'srlogin' or 'stelnet' depending on which program # you want it to invoke to do the actual communications. # Original source unknown -- modified version by entropy@zippy.bernstein.com # I don't remember where I got the original version...if you know, # drop me a line so I can give appropriate credit! # entropy's mods: # - Fixed program path for IRIX # - allow the s/key prompt to occur anywhere in the line, not just # at the left margin (TIS firewall compatibility) # - add "-nobuffer" to s/key prompt match options; avoids weirdness # due to delayed output while a partial match has occurred # - Kludge to do backspace/delete processing (in proc getpass) when # tty erase mode is wrong. Note that the looping is there for a # reason; regsub -all is not equivalent. This kludge is to # prevent weird runtime crashes when a "^?" ends up in the # passphrase. # debug 1 proc getpass {} { set timeout -1 stty -echo send_user "Enter S/Key secret password: " expect_user -re ".+\r"; send_user "\n" set timeout 20 set p1 $expect_out(0,string) while { [regsub ".\177" $p1 "" p2] } { set p1 $p2 } regsub "\177" $p1 "" p2 set p1 $p2 while { [regsub ".\10" $p1 "" p2] } { set p1 $p2 } regsub "\10" $p1 "" p2 set p1 $p2 return $p1; } proc skey {id key1 key2} { log_user 0 send_user "\n"; spawn -noecho /usr/local/bin/key $key1 $key2 set skey $spawn_id set password [ getpass ]; # send_user "Sending $password to skey\n"; expect -i $skey -re "password:"; send -i $skey "$password"; expect -i $skey -re "\r\n(\[A-Z\ ]+)\r\n"; set response $expect_out(1,string); # send_user "Sending $response to rlogin\n"; send -i $id "$response\r"; log_user 1 } regsub "^.*s(\[^/]+)$" $argv0 "\\1" progname if {$argc < 1} { send_user "usage: s$progname machine\n" exit } send_user "WARNING: This program should not be run when logged in remotely!!!\n" set machine [lindex $argv 0] set myos [exec uname -s] if { [regexp "IRIX" $myos] } { spawn -noecho /usr/bsd/$progname $machine } else { spawn -noecho /usr/ucb/$progname $machine } set rlogin $spawn_id interact { -o -nobuffer -re "s/key\[ ]+(\[0-9]+)\[ ]+(..\[0-9]+)\[\n\r]*" { set key1 $interact_out(1,string) set key2 $interact_out(2,string) skey $rlogin $key1 $key2 if {$key1 <= 10} { send_user "Warning: only $key1 more logins possible\n"; send_user "Run keyinit -s as soon as possible\n"; } } } --- snip --- -- entropy -- it's not just a good idea, it's the second law.