Debian Admin - Your way to Debian World

April 6, 2008

sshpass - Non-interactive ssh password authentication

by @ 11:04 am. Filed under General, Free Tools, Security

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

SSH’s (secure shell) most common authentication mode is called “interactive keyboard password authentication”, so called both because it is typically done via keyboard, and because openssh takes active measures to make sure that the password is, indeed, typed interactively by the keyboard. Sometimes, however, it is necessary to fool ssh into accepting an interactive password non-interactively. This is where sshpass comes in.

SECURITY NOTE: There is a reason openssh insists that passwords be typed interactively. Passwords are harder to store securely and to pass around securely between programs. If you

Install sshpass in debian

#aptitude install sshpass

This will complete the installation

Using sshpass

Syntax

sshpass [options] command arguments

Options

If not option is given, sshpass reads the password from the standard input. The user may give at most one alternative source for the password:

-p password - The password is given on the command line. Please note the section titled “SECURITY CONSIDERATIONS”.

-f filename - The password is the first line of the file filename.

-d number - number is a file descriptor inherited by sshpass from the runner. The password is read from the open file descriptor.

-e - The password is taken from the environment variable “SSHPASS”.

Security Considerations

First and foremost, users of sshpass should realize that ssh’s insistance on only getting the password interactively is not without reason. It is close to impossible to securely store the password, and users of sshpass should consider whether ssh’s public key authentication provides the same end-user experience, while involving less hassle and being more secure.

The -p option should be considered the least secure of all of sshpass’s options. All system users can see the password in the command line with a simple “ps” command. Sshpass makes no attempt to hide the password, as such attempts create race conditions without actually solving the problem. Users of sshpass are encouraged to use one of the other password passing techniques, which are all more secure.

In particular, people writing programs that are meant to communicate the password programatically are encouraged to use an anonymous pipe and pass the pipe’s reading end to sshpass using the -d option.

sshpass Examples

1) Run rsync over SSH using password authentication, passing the password on the command line:

rsync –rsh=’sshpass -p 12345 ssh -l test’ host.example.com:path

2)sshpass -p [yourpassword] ssh [yourusername]@[host]

Tags: , , , , , , ,

You may also be interested in...

5 Responses to “sshpass - Non-interactive ssh password authentication”

  1. James Harr Says:

    It should be noted that the use of a public/private key pair can achieve the same goal, but in a much more secure fashion.

    http://linuxproblem.org/art_9.html

    When you log in via ssh, the password is sent in plain-text though the encryption tunnel. This means that people watching the connection cannot see your password, however, if the server you are logging into is compromised, the server can see your password. This can be done simply by installing a rogue pam module. See pam_storepw here for more details: http://www.kernel.org/pub/linux/libs/pam/modules.html

    For those seeking secure password solutions (without copying public keys around everywhere), you should probably read up on the Kerberos protocol a little bit. And note that most ssh + kerberos howtos implement the idea incorrectly if it does not involve the terms GSSAPI somewhere.

    But yes, sshpass is a very nice tool for use in certain situations. I have used it in many. But, I thought I’d add the standard “insecure method” disclaimer.

  2. Will Says:

    I completely agree with Mr. Harr. It would be much more better ( and simpler ) to setup public key authentication :

    1. Generate key with ssh-keygen
    2. Put the generated public key ( ~/.ssh/id_rsa.pub ) to the authorized_keys file in the target host ( ~/.ssh/authorized_keys )

    That’s it ! Simple, effective, and more secure.

  3. Tad Marko Says:

    Also, note that you can accomplish a more secure version of this using SSH key pairs as James Harr said in conjunction with keychain.

  4. Noisome Says:

    To Will, Harr, Marko:

    Those who want sshpass do not want to setup the public key. Most people know of that “solution” but in most instances where once is all that is needed or in testing environments where it is impractical to do setup public keys is where this shines. Imagine 64 machines doing a public-key on……every day. So please, note once of what is secure, but don’t disown that idea that this is a good solution for where it is needed.

    Noisome

  5. Karl O. Pinc Says:

    Hi,

    I’m having trouble imagining when sshpass is a good idea. If you’re “doing 64 machines doing a public-key on….every day” then there’s clearly an automated process involved. The public/private keypair can run without user interaction and can be added to the automation.

    When there is no particular advantage to public/private keys vs. sshpass then public/private keys should be used, because you may as well use the solution that works in the most cases so as to minimize the number of different technologies you’re working with. In fact, “worse is better”, even if sshpass has a slight advantage your going to be better off using public/private keys. Under what circumstances does sshpass have a significant advantage? No doubt there are some, but I can’t think of any. Can you elaborate?

Leave a Reply

Subscribe RSS Feed

subscribe to the Debian Admin RSS feed

Internal links:

Sponsors:



Categories:

Support Debian Admin

Amount $:
Website(Optional):

Sponsors:

Archives:

WidgetBucks - Trend Watch - WidgetBucks.com

Related Links:


WidgetBucks - Trend Watch - WidgetBucks.com

Favourite Sites:

Wordpress Collection
Windows Reference
Ubuntu Geek
DebianHelp
All About Debian Tutorials
Power Electrical
Check Your IP Here
Debian,Ubuntu News
DebCentral
Tuxmachines
Capnkirby
Libervis
Nuxifield
Linux Horizon
Linux Appfinder
Debuntu
GNU/Linux For Everyone
Free Penguin
DebianAdmin is not related to the Debian Project.
This site is copyright © 2006,2007 Debian Admin
All Trademarks are the property of their respective owners.
The contents of this website may not be mirrored or archived without the express written permission of DebianAdmin Site Owner.

DISCLAIMER: All the information, troubleshooting methods, utilities offered in this website is provided AS-IS, without any warranties. Though I strive for perfection, and always test the validity and effectiveness of the troubleshooting content in various systems, I assume no responsibility for your use of these Fixes, Utilities and other troubleshooting advice. The author will not be liable for any special, incidental, consequential or indirect damages due to loss of data or any other reason. All use is completely at your own risk. Changes to the existing content and new additions are made to this website periodically, without notification.
Rodney's Kontera DynamiContext Plugin plugged in.