Several components allow entering passwords, for example to encrypt files or establish SSH connections. Putting such sensitive information inside a script, a JCL or entering it directly on the command line can be serious security issue. Therefore, any string assingment within a command can be sourced out to a file which is much easier protected against prying eyes.
password=f'pwdfile.txt'
The prefix 'f' tells CLE/P that the string must be read from the specified filename. The file itself must contain the CLE/P string value.
With SSH you can provide the password as part of the URL:
ssh://user:password@host:port
In this case, it may not be very useful to put the whole URL inside a file. Instead, the password can be specified through the corresponding NET object, where the password is a separate parameter. The rest of the connection information can remain in the URL:
net.ssh(password=f'pwdfile.txt') file=ssh://<cuser>@server.com/myfile.txt
If you wish, you could also put all connections parameters inside the NET object, so that the URL form is not needed:
net.ssh(user=max host=server.com password=f'pwdfile.txt') file=myfile.txt
If a connection parameter is specified in the URL as well a in the SSH NET object, the values from the URL takes precedence. The special replacement capabilities (~) for file names, however, are only available for the URL. In the NET.SSH object only the simple string replacements (<cuser>) can be used.
Sometimes it is convenient to use a parameter file for an object, overlay or command which contains the password.
net.ssh=sshparm.txt net=netparm.txt conv=convpar.txt
All these capabilities can be used to protect passphrases, but we recommend to use public key authentication with SSH and the use of our key management extension (FKME/FKM5) for PGP or FLAMFILEs to protect the keys by professional cryptographic infrastructure (e.g. with a HSM (hardware security module)).