Bash/expect script to log in via ssh and port knocking. SSH Keys not possible

Question

My login server is behind a firewall that uses port knocking to allow entry. The login-flow is

1. Enter in port knocking command. This requires my external IP to be entered.
2. When prompted, enter in my port-knocking password.
3. Enter in ssh command
4. Enter in password

I may get permission to use ssh keys, but I am trying to write a script that will allow me to cut down on my login times, since I have to go through this flow for each shell I want to bring up.

#!/bin/expect
spawn fwknop -A tcp/22 -a `curl http://ipecho.net/plain` -D foo.org -P tcp -p 9999
expect "Enter encryption password:"
send "pass1\r"

spawn ssh -Y bar@foo.org
expect "bar@foo.org's password:"
send "pass2\r"

Running each command works fine from the command line. But when I try to run the first spawn command

spawn fwknop -A tcp/22 -a `curl http://ipecho.net/plain` -D foo.org -P tcp -p 9999

I get error:

fwknop: fko_set_spa_message: Error 10 - Invalid allow IP address in the SPA message data
send: spawn id exp7 not open

But copy/paste the same command to the command line works perfectly fine.

Answer 1

I have no experience with expect, but I wonder whether it understands back-ticks.  Try

#!/bin/sh                                # or specify #!/usr/bin/env bash if you believe that you need to.
expect <<- !
    spawn fwknop -A tcp/22 -a `curl http://ipecho.net/plain` -D foo.org ...
    expect "Enter encryption password:"
    send "pass1\r"

    spawn ssh -Y bar@foo.org
    expect "bar@foo.org's password:"
    send "pass2\r"
!

so you get the `curl http://ipecho.net/plain` to be processed by the shell.

Answer 2

@Scott is right, expect/Tcl does not do anything special with backticks, they're just plain characters. This should work though:

#!/bin/expect
set ip [exec curl http://ipecho.net/plain]
spawn fwknop -A tcp/22 -a $ip -D foo.org -P tcp -p 9999