SSH login with clear text password as a parameter?

  • I need to login to a user that I've created on a remote host running Ubuntu. I can't use an ssh key because the ssh login will happen from a bash script ran within a server that I won't have access to (think continuous integration server like Bamboo).

    I understand this isn't an ideal practice, but I want to either set the remote host to not ask for the password or be able to login with something like ssh --passsword foobar [email protected], kind of like MySQL allows you to do for logins.

    I'm not finding this in man ssh and I'm open to any alternatives to getting around this issue.

    The secure way is to generate SSH key with ssh-keygen -t rsa -b 2048 and use this key to log into the remote server as alternative you can install "sshpash" and then you can ssh your machine with following command sshpass -p 'password' ssh [email protected]

    The question this is redirected to is not the same as this one. This one is asking for a way to initiate an interactive session.

  • On Ubuntu, install the sshpass package, then use it like this:

    sshpass -p 'YourPassword' ssh [email protected]
    

    sshpass also supports passing the keyboard-interactive password from a file or an environment variable, which might be a more appropriate option in any situation where security is relevant. See man sshpass for the details.

    Althought is not recommended and not a good practice this is exactly the answer to the question. Consider using keys as stated above. But if there's a major tech issue this is the solution asked

    I only upvote the answer. Not "rational why don't you do it this way instead" answers. Just the answer. hence, I upvoted you :)

    Also note that other users on your machine will probably be able to see your password by running `w`.

    @WChargin For a more detailed explanation of how to "secure" the password from process listings by other users, have a look at this similar question.

    I don't completely hate sshpass, in fact I'm using it on a temporary basis. However using '-p' is unnecessary and undesirable. Set the variable SSHPASS first and then do sshpass -e ssh .

    How about CentOS - which doesn't have sshpass?

    @Brad If you have root on the box, you can install `sshpass` using `yum --enablerepo=epel install sshpass`.

    How to install `sshpass` in Ubuntu 14.04, by default package not found by `apt-get`, so how to do it ?

    @VickyDev The `sshpass` package is part of the `universe` repository. Once enabled, you can install it normally using `apt`.

    Not works if there are special character in the passwd, such "/","\", "?" and so on.

    @ShichengGuo try using the `-f filename` switch, which allows you to store the password in a file. See man sshpass for details.

  • If your alternative is to put a password into a script or ssh command line or plain text file, then you're MUCH better off using an ssh key instead. Either way, anyone who has access to the account where the ssh client script is stored would be able to use that to get into the server, but at least in the case of an ssh key, OpenSSH supports it properly, you don't grant access by other means than ssh, it's more easily revoked if necessary, etc...

    You will have to explain why you have a requirement to not use an ssh key.

    Consider also using a forced command (command="..." in the .ssh/authorized_keys file) so that the client only has access to run the command they need on the server rather than a full shell.

    The remote host is actually a VM used by other engineers with no resources worth risking other than copies of test automation code. For the sake of the discussion, let say the only access I have is to add the script file, not add ssh keys in `~/.ssh/`.

    Also worth noting, the user to be logged in is a dummy user too.

    That's highly contrived. A somewhat less contrived scenario would be that a misguided administrator of the server disabled ssh key logins (`PubkeyAuthentication no` in `/etc/ssh/sshd_config`). In either case, the better solution is to fix the underlying problem that prevents you from doing ssh key logins. Failing that, consult the question pointed to by Gilles.

    @MichaelM you dont have to add ssh keys in `~/.ssh/`. Add the key wherever you want and use `ssh -i /path/to/id_rsa`

    Loging in to a server with a keypair is **much easier** to script than a password. If it is the first time you're setting up keys for use with SSH, you might want to look for a good howto.

    @MichaelM if the only access you have is to add the script file, then you can hardcode the key in the script file: `echo -----BEGIN RSA PRIVATE KEY----- > ${IDENTITY_FILE} ; echo MIIEoQIBAAKCAQEAv1tQry1qWlLn1Kp3uX2/4bT0z9Cbre/zj1fnchVinPqBHrd1 >> ${IDENTIFY_FILE} ...`

    Sorry to revive this old thread, but I have a real application here, I am trying to ssh into a machine with a read only file-system (read only as it is rom) and no ramdisks. It does not have any public keys on it so am stuck...

    @Vality if it is truly read-only, how did you set your password on this system in the first place? Or was the root password factory-installed and unchangeable? Sounds pretty scary. Usually these types of systems have a small read-write storage area to store configuration, etc... In any case, if that's what you have to work with, maybe you could use a long-lived session with a master socket (look up command line option `-M`) which you set up once manually and then your script is a slave connection piggybacked on that session.

    @Celada as you say, the device has a preset root password and this cannot be changed (without perhaps physically modifying he device). (unfortunately the password is not at all strong either which concerns me also). However that looks like a really interesting idea, I had not seen that option before, I shall have a read of the man pages for it. Thanks, that is really handy.

    ssh-copy-id makes this effortless. Just run `ssh-copy-id [email protected]`

    Stackexchanges answer should answer the question not argue the question is correct. I have a valid scenario for this. I need to setup my `~/.ssh/authorized_keys` in 95 different boxes. I wrote a script to push my authorized_keys file automatically, but still prompts for password. Having the script to prompt for the password once in the beginning would be nicer.

    > You will have to explain why you have a requirement to not use an ssh key. Sorry, I have to downvote this. If you know the answer to the question, just give the answer.

    I agree with flarn2006. You cannot say "this question is dumb so here's an answer to a different question because I think it's a better question and I know the answer to it".

  • First of, like the other respondents, I recommend just using ssh keys. But I will assume that the person controlling the server is simply not going to allow you to use ssh key authentication and you must use password authentication.

    You can use ControlMaster and ControlPath.

    Let A be the server that you won't have access to (think continuous integration server like Bamboo) and C be the remote host running Ubuntu.

    Now let B be some computer that you control. If you can not provide a suitable B computer, this answer will not work.

    1. Create a key pair and add the public part to B's authorized_keys file. Give A the private key. Now you can log into B from A without a password.
    2. On B manually ssh -M -S /tmp/controlpath C and enter your password at the prompt. After that you should be able to log into C from A without a password ssh -S /tmp/controlpath C.

    In the script on A you can write ssh B ssh C dostuff.

    Every time you reboot B, you will have to reestablish the connection ssh -M -S /tmp/controlpath C.

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM