====== 2014-11-23 - openssh and command line passwords ======

{{ :blog:2014:11:23:openssh_logo.png|OpenSSH logo}}
[[wp>openssh]] does not permit you to give password in a plain text, from the command line or simple pipe from terminal. generally this is a good idea, as it makes it difficult to make system less secure. if you were to use password-less login, using keys is the way. there is an exception to the rule. there are cases, when you cannot use keys nor you are allowed to change password and the system is just some development machine, not connected to an internal network, to which everyone in the company knows password... but no1 can remember it. if you happen to hit this type of situation you know how difficult it is to automate work.

fortunately it can be easily solved with tool called //sshpass// (just do //apt-get install sshpass// to get there).


===== just like that... =====

with //sshpass// you can just type in the password from the command line like this:

<code bash>
sshpass -p dumasspassword ssh user@machine command -arg1 -arg2
</code>

and you're done. this is usually not so good idea, but this is possible. you can even put this inside the script if you dare...


===== more secure version =====

however there might be another situation. even though system i restrictive when it comes to keys/passwords policies, users might still have some level of security. for instance others should not be able to see their password with simple //ps -axlf//. one might want to do this, when script needs to run multiple commands on remote machine, in some time span, but under a single execution.

//sshpass// allows to make this more secure with reading password from file descriptor:

<code bash>
REMOTE_USER="you"
HOST="there"
read -p "password for $REMOTE_USER@$HOST: " -s PASS
echo

exec 42<<< "$PASS"
sshpass -d 42 ssh -Y "$REMOTE_USER@$HOST" command1

exec 42<<< "$PASS"             
sshpass -d 42 ssh -Y "$REMOTE_USER@$HOST" command2
</code>

now user can type in password once and reuse it in multiple commands. i have used this approach to automate work in few development environments. users can pass their password, without others knowing it (assuming no1 is tempering with the script itself ;)). it is verbose though, as file descriptor (here: 42) needs to be refreshed each time sshpass is to be used.

fortunately there is even simpler way to go -- export //SSHPASS// variable with a password and pass //-e// to //sshpass//:

<code bash>
REMOTE_USER="you"
HOST="there"
read -p "password for $REMOTE_USER@$HOST: " -s SSHPASS
export SSHPASS
echo
sshpass -e ssh -Y "$REMOTE_USER@$HOST" command1
sshpass -e ssh -Y "$REMOTE_USER@$HOST" command2
</code>

have fun scripting the universe. ;)