2014-11-23 - openssh and command line passwords

openssh does not permit you to give password in a plain text, from the command line or simple pipe from terminal. generally this is a good idea, as it makes it difficult to make system less secure. if you were to use password-less login, using keys is the way. there is an exception to the rule. there are cases, when you cannot use keys nor you are allowed to change password and the system is just some development machine, not connected to an internal network, to which everyone in the company knows password… but no1 can remember it. if you happen to hit this type of situation you know how difficult it is to automate work.

fortunately it can be easily solved with tool called sshpass (just do apt-get install sshpass to get there).

with sshpass you can just type in the password from the command line like this:

sshpass -p dumasspassword ssh user@machine command -arg1 -arg2

and you're done. this is usually not so good idea, but this is possible. you can even put this inside the script if you dare…

however there might be another situation. even though system i restrictive when it comes to keys/passwords policies, users might still have some level of security. for instance others should not be able to see their password with simple ps -axlf. one might want to do this, when script needs to run multiple commands on remote machine, in some time span, but under a single execution.

sshpass allows to make this more secure with reading password from file descriptor:

REMOTE_USER="you"
HOST="there"
read -p "password for $REMOTE_USER@$HOST: " -s PASS
echo
 
exec 42<<< "$PASS"
sshpass -d 42 ssh -Y "$REMOTE_USER@$HOST" command1
 
exec 42<<< "$PASS"             
sshpass -d 42 ssh -Y "$REMOTE_USER@$HOST" command2

now user can type in password once and reuse it in multiple commands. i have used this approach to automate work in few development environments. users can pass their password, without others knowing it (assuming no1 is tempering with the script itself ;)). it is verbose though, as file descriptor (here: 42) needs to be refreshed each time sshpass is to be used.

fortunately there is even simpler way to go – export SSHPASS variable with a password and pass -e to sshpass:

REMOTE_USER="you"
HOST="there"
read -p "password for $REMOTE_USER@$HOST: " -s SSHPASS
export SSHPASS
echo
sshpass -e ssh -Y "$REMOTE_USER@$HOST" command1
sshpass -e ssh -Y "$REMOTE_USER@$HOST" command2

have fun scripting the universe. ;)