Subscribe

Automating API commands and securing passwords

Hello there. I have written some scripts using the undocumented system-cli API command. I am also using the apitest.pl script to run them. An example for running "cifs shares" is as follows:

perl apitest.pl -i $host $user $pass "<system-cli><args><arg>cifs</arg><arg>shares</arg></args></system-cli>

There are two potential problems I see here:

1. The command takes in a plain text password. I have written something to turn off echo and take in a password typed in by the user running the script. This however is not convenient for scripts we want to run automatically, say from crontab. Is there any default way to go about securing a password for this cause? So far my conclusion has been to create a config file housing the encoded/encrypted password and decoding/decrypting it every time the script runs.

2. As per my limited knowledge, these commands are sent unencrypted over port 80. Are there any ways to secure the transmission of these commands so the plain text username and password cannot be sniffed?

I believe the easiest solution is to use ssh keys and run the equivalent cli commands over the ssh session instead of using the api commands. This however requires a rewrite of my scripts. Are there any other known solutions when working with the API commands?

Re: Automating API commands and securing passwords

1) You could add host ip in the hosts.equiv file. You don’t need to give password in the scripts provided your host is secured enough.

2) SDK also has a HTTPS transport type (uses port 443) that you can set while making your connection.


Re: Automating API commands and securing passwords

Yes we know this can be used in 7-mode. how can we use the hosts.equiv method (HOST) in C-Mode.