How can you make SSH read the password from stdin, which it doesn't do by default?
How to make ssh receive the password from stdin
You can't with most SSH clients. You can work around it with by using SSH API's, like Paramiko for Python. Be careful not to overrule all security policies.
Any idea why it doesn't work? Intuitively it should. –
Assumpsit
It shouldn't work, because that would inspire junior sysadmins to write scripts with the SSH password entangled within the logic in the script. In an environment for network and system administration, there needs to be a clear separation between security-sensitive information on the one hand and getting things done on the other. Password authentication is just not safe enough. Since ssh is widely used in sysadmin contexts, trying to keep users away from password-only security is a good idea. –
Trilly
based on this post you can do:
Create a command which open a ssh session using SSH_ASKPASS (seek SSH_ASKPASS on man ssh)
$ cat > ssh_session <<EOF
export SSH_ASKPASS="/path/to/script_returning_pass"
setsid ssh "your_user"@"your_host"
EOF
NOTE: To avoid ssh to try to ask on tty we use setsid
Create a script which returns your password (note echo "echo)
$ echo "echo your_ssh_password" > /path/to/script_returning_pass
Make them executable
$ chmod +x ssh_session
$ chmod +x /path/to/script_returning_pass
try it
$ ./ssh_session
Keep in mind that ssh stands for secure shell, and if you store your user, host and password in plain text files you are misleading the tool an creating a possible security gap
Another requirement is that DISPLAY must be set. If you are running X, you won't notice. If you aren't, you will. To make the ssh_script above more portable, add this: export DISPLAY; DISPLAY=dummy –
Sexuality
furthermore (or if you don't have setsid) - in addition to setting DISPLAY and SSH_ASKPASS, you may also need to direct STDIN from /dev/null to convince ssh-add that it's not on a terminal: ssh-add /path/to/key < /dev/null –
Tombola
I used this idea for getting the passphrase from
pass, to give to ssh-add in a generic way, generating the askpass script as needed. milosophical.me/blog/2018/ssh-pass.html –
Tombola can someone update the solution to take in the suggestions from the comments? –
Southworth
On MacOS Ventura, you can also set
SSH_ASKPASS_REQUIRE to force is that the $SSH_ASKPASS is always called regardless of whether DISPLAY is set. –
Marquita You can use sshpass which is for example in the offical debian repositories. Example:
$ apt-get install sshpass
$ sshpass -p 'password' ssh username@server
sadly this is the only solution I use, which isn't great for ssh jumphosts. The alternative is
expect, which I'm guessing is more trouble than it's work. –
Assumpsit Homebrew (macOS) has banned it :( " We won't add sshpass because it makes it too easy for novice SSH users to ruin SSH's security." –
Tombola
@Tombola aren't you glad that the Homebrew maintainers are bolstering worldwide security by saving us from ourselves? 😜 –
Faludi
Ha ha, yes! 😄 I ended up writing my own hack: milosophical.me/blog/2018/ssh-pass.html. YMMV –
Tombola
You can't with most SSH clients. You can work around it with by using SSH API's, like Paramiko for Python. Be careful not to overrule all security policies.
Any idea why it doesn't work? Intuitively it should. –
Assumpsit
It shouldn't work, because that would inspire junior sysadmins to write scripts with the SSH password entangled within the logic in the script. In an environment for network and system administration, there needs to be a clear separation between security-sensitive information on the one hand and getting things done on the other. Password authentication is just not safe enough. Since ssh is widely used in sysadmin contexts, trying to keep users away from password-only security is a good idea. –
Trilly
Distilling this answer leaves a simple and generic script:
#!/bin/bash
[[ $1 =~ password: ]] && cat || SSH_ASKPASS="$0" DISPLAY=nothing:0 exec setsid "$@"
Save it as pass, do a chmod +x pass and then use it like this:
$ echo mypass | pass ssh user@host ...
If its first argument contains password: then it passes its input to its output (cat) otherwise it launches whatver was presented after setting itself as the SSH_ASKPASS program.
When ssh encounters both SSH_ASKPASS AND DISPLAY set, it will launch the program referred to by SSH_ASKPASS, passing it the prompt user@host's password:
You may need to also pass
-oStrictHostKeyChecking=no to the ssh command, if you haven't SSH'd into this host before; otherwise it'll prompt the user for whether they trust the unknown host key. Obviously, only do this if you're sure that you trust the unknown host key. –
Elli An old post reviving...
I found this one while looking for a solution to the exact same problem, I found something and I hope someone will one day find it useful:
- Install ssh-askpass program (apt-get, yum ...)
- Set the
SSH_ASKPASSvariable (export SSH_ASKPASS=/usr/bin/ssh-askpass) - From a terminal open a new ssh connection without an undefined TERMINAL variable (
setsid ssh user@host)
This looks simple enough to be secure but did not check yet (just using in a local secure context).
Here we are.
FreeBSD mailing list recommends the expect library.
If you need a programmatic ssh login, you really ought to be using public key logins, however -- obviously there are a lot fewer security holes this way as compared to using an external library to pass a password through stdin.
a better sshpass alternative is :
https://github.com/clarkwang/passh
I got problems with sshpass, if ssh server is not added to my known_hosts sshpass will not show me any message, passh do not have this problem.
I'm not sure the reason you need this functionality but it seems you can get this behavior with ssh-keygen.
It allows you to login to a server without using a password by having a private RSA key on your computer and a public RSA key on the server.
Automatically load ssh keys : Add to .bashrc and configure environment variable.
export SSH_DIR="${HOME}/.ssh"
command mkdir -p "${SSH_DIR}"
eval "$(ssh-agent -s)" >/dev/null 2>&1
export SSH_AUTH_SOCK="${SSH_AUTH_SOCK}"
export SSH_AGENT_LIFE=14400 # 4 hours
export SSHADD_OPTS=""
export PASS_SSH_ENTRY_PREFIX="_ssh"
if command -v pass &>/dev/null \
&& command -v gpg &>/dev/null \
; then
for _public_key in "${SSH_DIR}"/*.pub ; do
_private_key="${_public_key%.pub}"
_entry="$(basename "${_private_key}")"
if command pass ls "${PASS_SSH_ENTRY_PREFIX}/${_entry}" &>/dev/null ; then
if ! command ssh-add -l | command grep -qF -- "$(command ssh-keygen -lf "${_public_key}")" &>/dev/null ; then
_ask="${SSH_DIR}/ssh-askpass.sh"
(\
echo '#!/usr/bin/env -S bash -euo pipefail' ; \
echo ; \
echo "command pass '${PASS_SSH_ENTRY_PREFIX}/${_entry}/password' | command head -n 1" \
) > "${_ask}"
command chmod u+x "${_ask}"
DISPLAY="${DISPLAY:-dummy}" \
SSH_ASKPASS_REQUIRE=force \
SSH_ASKPASS="${_ask}" \
command ssh-add -t "${SSH_AGENT_LIFE}" ${SSHADD_OPTS:-} "${_private_key}"
fi
fi
done
command rm -f "${_ask}"
unset _public_key _private_key _entry _ask
#echo ; ssh-add -l
fi
My pass ssh entries:
$ pass _ssh/
_ssh
└── id_termux
├── cipher
├── note
├── password
├── privateKey.priv
└── publicKey.pub
...
Thank you for your interest in contributing to the Stack Overflow community. This question already has quite a few answers—including one that has been extensively validated by the community. Are you certain your approach hasn’t been given previously? If so, it would be useful to explain how your approach is different, under what circumstances your approach might be preferred, and/or why you think the previous answers aren’t sufficient. Can you kindly edit your answer to offer an explanation? –
Zooplankton
© 2022 - 2024 — McMap. All rights reserved.