Image
SSH password automation in Linux with sshpass
The sshpass utility helps administrators more easily manage SSH connections in scripts.
[Editor's Note, Nov 29, 2021: All examples of providing a password on the command line include the risk of the password being captured in the user's shell history (if supported) or visible to all system users in the process listing. Security experts recommend deleting all files and clearing shell logs.]
Connecting and transferring files to remote systems is something system administrators do all the time. One essential tool used by many system administrators on Linux platforms is SSH. SSH supports two forms of authentication:
- Password authentication
- Public-key Authentication
Public-key authentication is considered the most secure form of these two methods, though password authentication is the most popular and easiest. However, with password authentication, the user is always asked to enter the password. This repetition is tedious. Furthermore, SSH also requires manual intervention when used in a shell script. If automation is needed when using SSH password authentication, then a simple tool called sshpass
is indispensable.
What is sshpass?
The sshpass
utility is designed to run SSH using the keyboard-interactive password authentication mode, but in a non-interactive way.
SSH uses direct TTY access to ensure that the password is indeed issued by an interactive keyboard user. sshpass
runs SSH in a dedicated TTY, fooling SSH into thinking it is getting the password from an interactive user.
[ Check out this guide to boosting hybrid cloud security and protecting your business. ]
Install sshpass
You can install sshpass
with this simple command:
# yum install sshpass
Use sshpass
Specify the command you want to run after the sshpass
options. Typically, the command is ssh
with arguments, but it can also be any other command. The SSH password prompt is, however, currently hardcoded into sshpass
.
The synopsis for the sshpass
command is described below:
sshpass [-ffilename|-dnum|-ppassword|-e] [options] command arguments
Where:
-ppassword
The password is given on the command line.
-ffilename
The password is the first line of the file filename.
-dnumber
number is a file descriptor inherited by sshpass from the runner. The password is read from the open file descriptor.
-e
The password is taken from the environment variable "SSHPASS".
[ Learn how to manage your Linux environment for success. ]
Examples
To better understand the value and use of sshpass
, let's look at some examples with several different utilities, including SSH, Rsync, Scp, and GPG.
Example 1: SSH
Use sshpass
to log into a remote server by using SSH. Let's assume the password is!4u2tryhack
. Below are several ways to use the sshpass options.
A. Use the -p
(this is considered the least secure choice and shouldn't be used):
$ sshpass -p !4u2tryhack ssh username@host.example.com
The -p
option looks like this when used in a shell script:
$ sshpass -p !4u2tryhack ssh -o StrictHostKeyChecking=no username@host.example.com
B. Use the -f
option (the password should be the first line of the filename):
$ echo '!4u2tryhack' >pass_file
$ chmod 0400 pass_file
$ sshpass -f pass_file ssh username@host.example.com
The $ chmod 0400 pass_file
is critical for ensuring the security of the password file. The default umask on RHEL is 033, which would permit world readability to the file.
Here is the -f
option when used in shell script:
$ sshpass -f pass_file ssh -o StrictHostKeyChecking=no username@host.example.com
C. Use the -e
option (the password should be the first line of the filename):
$ SSHPASS='!4u2tryhack' sshpass -e ssh username@host.example.com
The -e
option when used in shell script looks like this:
$ SSHPASS='!4u2tryhack' sshpass -e ssh -o StrictHostKeyChecking=no username@host.example.com
Example 2: Rsync
Use sshpass
with rsync
:
$ SSHPASS='!4u2tryhack' rsync --rsh="sshpass -e ssh -l username" /custom/ host.example.com:/opt/custom/
The above uses the -e
option, which passes the password to the environment variable SSHPASS
We can use the -f
switch like this:
$ rsync --rsh="sshpass -f pass_file ssh -l username" /custom/ host.example.com:/opt/custom/
Example 3: Scp
Use sshpass
with scp:
$ scp -r /var/www/html/example.com --rsh="sshpass -f pass_file ssh -l user" host.example.com:/var/www/html
Example 4: GPG
You can also use sshpass
with a GPG-encrypted file. When the -f
switch is used, the reference file is in plaintext. Let's see how we can encrypt a file with GPG and use it.
First, create a file as follows:
$ echo '!4u2tryhack' > .sshpasswd
Next, encrypt the file using the gpg
command:
$ gpg -c .sshpasswd
Remove the file which contains the plaintext:
$ rm .sshpasswd
Finally, use it as follows:
$ gpg -d -q .sshpasswd.gpg | sshpass ssh user@srv1.example.com
Wrap up
sshpass
is a simple tool that can be of great help to sysadmins. This doesn't, by any means, override the most secure form of SSH authentication, which is public-key authentication. However, sshpass
can also be added to the sysadmin toolbox.
[ Free online course: Red Hat Enterprise Linux technical overview. ]
Image
Learn how to keep your systems safe and prevent unauthorized access through SSH by following these simple suggestions.
Image
Secure your systems with multiple SSH keys without losing your mind.
Image
Curious about how SSH establishes secure communication between two systems? Read on.
Image
You might not be aware that SSH is a magical tool with many different uses. Using it, you can copy files between systems without logging into them, as if by magic.
Evans Amoany
I work as Unix/Linux Administrator with a passion for high availability systems and clusters. I am a student of performance and optimization of systems and DevOps. I have passion for anything IT related and most importantly automation, high availability, and security. More about me