According to Paul Blackburn:
> I understand some sites use the "expect" command to script a dialogue
> with kas (and other commands requiring a password at the time you run them).
>
> Seems a bit risky, but you could possibly have a shell variable containing
> the password which your "expect" front-end scripts use to call the real
> kas (and her pals).
The kas command does not accept the password on stdin, this reduces the
options for administrative scripts. Instead of using commands like
kas <whatever> -admin <admin> -adminpass <adminpass>
where a quick look in the process listing reveals the password to any
user on the same system, it's still better to use Expect to feed the
passwords via stdin. We are using such a thing mostly for perl scripts
to avoid using the password on the command line, e.g.
$cmd= "./kase.exp setpasswd -name $username -admin $admin_id >/dev/null";
if (open (KAS, "|$cmd")) {
print KAS "$admpass\n";
print KAS "$passwdstr\n";
print KAS "$passwdstr\n";
close (KAS);
}
The expect script would not be necessary in this situation if the kas
command had a -pipe option like klog.
Magnus Sandberg <[EMAIL PROTECTED]> wrote:
> Today I have to type commands like this;
> $ /usr/afsws/etc/kas examine <user> -admin mem.admin
If you have to do a series of kas command manually and you don't want to
enter the password every time, then you can simply use the interactive mode
of kas, e.g.
$ /usr/afsws/etc/kas -admin mem.admin
[enter admin password]
ka> exaime <user>
ka> setpass <user> <whatever>
...etc...
ka> quit
> So today the users don't get any warning messages before the
> password expires. We have an idea of creating a shell script that do a "kas
> examine <loginuser>" at logintime that views a warning message.
You could periodically extract expiry information from the output of a
"kas list -long" command and place it in a central file. When the user
logs in, simply grep the file.
> The second thing is that we have some administative scripts that needs to
> look in the KAS database.
Maybe the "kas list" output is also a simple workaround in this situation?
> (Naturally, you would never leave this unattended/unlocked on a workstation
> and always log out before going home.)
Nor would anybody keep sensitive information like this in a script ;)
+gg
--
[EMAIL PROTECTED] Fax: +43/1/31336/702 [EMAIL PROTECTED]
Zentrum fuer Informatikdienste, Wirtschaftsuniversitaet Wien, Austria
