0

OK, i was unable to find this same question anywhere.. So i apologize in advance if this has been asked before.

My need is to have a script ssh into other devices at different times, to do this I need to store a password. I don't want to use plain text or base64, but I would be OK with hashing the password and I have no issue doing that. The issue is I don't know how to get the hash to be sent to the devices as a password. It just sends the hash and the login gets denied.

This is the hash script that writes to a file:

import getpass, hashlib, os

pwf = open('hashes.txt', 'w')
password = getpass.getpass()
hashpass = hashlib.sha256(password).hexdigest()
pfw.write(hashpass)

This is the 2nd script that I can pull the hash out of the file, but its still a hash. 

hashes = open('hashes.txt', 'r')
for pw in hashes:
    passwrd = pw.strip()  
password = passwrd

Thats all fine and dandy, but the I cant login with the hash.. Im sure im doing something fundamentally wrong here. please let me know.

Also i left out the other ssh code as I didnt think it was relevent.

Improve this question
6
  • 1
    Hash is one way. There's no way to reclaim your password from a hash. Commented Dec 31, 2014 at 20:40
  • This is a pretty common issue. If you're script was able to decrypt the hash to send as the password, then anyone else with access to that same script would be able to easily decrypt the hash as well, which defeats the purpose. Best bet is to make sure the script that has the username/password is in a secure environment that people can't access it. Commented Dec 31, 2014 at 20:40
  • If you need to actually use the password, then you need the password, not a hash of the password. Commented Dec 31, 2014 at 20:40
  • Is there a best way to encrypt and store passwords for use then? Commented Dec 31, 2014 at 20:41
  • If they really want to do something bad and they have physical access to that local machine to look at your password that is in the python code, that the least of your worries. Commented Dec 31, 2014 at 20:45

1 Answer 1

Reset to default
1

The entire point of a cryptographic hash is that it isn't feasible to reverse it into the original password. If you need to send the actual password, a hash will not work for you; you'd need to use an actual encryption algorithm - but then you run into a similar problem of how you store the encryption key you're using to store the password.

Either way you need a way of securely storing data on your local system that other unauthorized users can't access. Typically this is done by using key-based ssh authentication and storing the key with permissions that make it inaccessible to other users. This essentially skips the unnecessary step of encrypting/decrypting a password and instead just uses the encryption key as the authentication mechanism for ssh.

Note that there exist Python libraries that are designed for the kind of task you're doing (sshing to remote systems and running commands automatically) - fabric is one of them.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

He could use the hash of his password as the encryption key.
@Camron_Godbout and what benefit do you think that provides?
Yeah you're right. I'm Totally overthinking this one haha. I was thinking that would prevent him from having to store his password but he would have to store the hash which would be the key for the encryption. So maybe just security through obscurity at best.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.