Handling Passwords with Security and Reliability in Background Processes

Traditionally, background automation of interactive processes meant giving up security and reliability. With the advent of software such as Expect for controlling interactive processes, it has become possible to improve reliability and security with relative ease. This paper reviews the reliability aspects but focuses primarily on the security aspects, presenting several non-obvious techniques for dealing with passwords and other sensitive information in background processes. These techniques require no changes to existing programs and no new security systems are necessary. With the appropriate tools and examples, these techniques can be applied with surprisingly little effort to a wide variety of problems. Reprinted from the Proceedings of the Eighth Systems Administration Conference (LISA VIII), San Diego, California, September 19-23, 1994. Using Expect it is possible to script telnet, ftp, rlogin, rz/sz, and numerous other programs. Many of these tasks fall in the domain of system administration. For example, a system administrator creating thousands of accounts each semester will find an automated passwd program much more convenient than having to type in each password manually. The following script is another example, driving the fsck program so that one class of questions is answered “yes” while another is answered “no”. If anything else appears, control is temporarily turned over to a user to answer it.