在 bash 脚本中为 ssh 命令提供密码，无需使用公钥和 Expect

Question

I want to use SSH inside a script, but this script is not going to be executed on my machine.

In my implementation there are two limitations.

• I can not work outside shell's standards,therefore i can not use expect because i do not know if it will be available on this machine.
• I can not expect that this machine will have public keys for the SSH .

What are the possible options-solutions ?

How can i provide ssh with the requested password with an automated and secure way without adding extra dependencies?

Will it be possible to provide the password inside the script?

Thank you all in advance :)

Answer 1

安装 sshpass，然后启动命令：

sshpass -p "yourpassword" ssh -o StrictHostKeyChecking=no yourusername@hostname

Answer 2

For security reasons you must avoid providing password on a command line otherwise anyone running ps command can see your password. Better to use sshpass utility like this:

#!/bin/bash

export SSHPASS="your-password"
sshpass -e ssh -oBatchMode=no sshUser@remoteHost

You might be interested in How to run the sftp command with a password from Bash script?

Answer 3

First of all: Don't put secrets in clear text unless you know why it is a safe thing to do (ie you have assessed what damage can be done by an attacker knowing the secret).

If you are ok with putting secrets in your script, you could ship an ssh key with it and execute in an ssh-agent shell:

#!/usr/bin/env ssh-agent /usr/bin/env bash
KEYFILE=`mktemp`
cat << EOF > ${KEYFILE}
-----BEGIN RSA PRIVATE KEY-----
[.......]
EOF
ssh-add ${KEYFILE}

# do your ssh things here...

# Remove the key file.
rm -f ${KEYFILE}

A benefit of using ssh keys is that you can easily use forced commands to limit what the keyholder can do on the server.

A more secure approach would be to let the script run ssh-keygen -f ~/.ssh/my-script-key to create a private key specific for this purpose, but then you would also need a routine for adding the public key to the server.

Answer 4

AFAIK there is no possibility beside from using keys or expect if you are using the command line version ssh . But there are library bindings for the most programming languages like C, python, php, ... . You could write a program in such a language. This way it would be possible to pass the password automatically. But note this is of course a security problem as the password will be stored in plain text in that program

Answer 5

I completely agree with everybody who says this is almost certainly a terrible idea . It is extremely likely to allow others to attack your computers.

USE AT YOUR OWN RISK AFTER EVALUATING THE SECURITY HAZARDS

Answer

Make a program /path/to/saypass which outputs the password, such as

#!/bin/sh
echo 'secret'

Make it executable with

chmod +x /path/to/saypass

Then this is the main command:

SSH_ASKPASS="/path/to/saypass" DISPLAY=anything setsid ssh username@hostname [farcommand]

This

• sets the two environment variables SSH_ASKPASS and DISPLAY
  • and then runs setsid
    • which then runs ssh without a controlling terminal
      • which connects to the far hostname
      • ... runs saypass locally to get the password
      • ... tells it to the far server
      • ... and assuming it's correct
        • which then runs farcommand (if given), or an interactive shell.

I normally test with date or hostname for the optional farcommand .

There are lots of places for this to go wrong.

Explanation

The trick to this is that standard Linux command line ssh has a couple of environment variables you can use to choose a program which gets executed to supply the password.

ssh(1) manual page says:

SSH_ASKPASS If ssh needs a passphrase, it will read the passphrase from the current terminal if it was run from a terminal. If ssh does not have a terminal associated with it but DISPLAY and SSH_ASKPASS are set, it will execute the program specified by SSH_ASKPASS and open an X11 window to read the passphrase.

So: you need a program (shell script or any other kind) which will output the password. Then you need to convince ssh to use it:

• With SSH_ASKPASS set to /path/to/saypass
• With DISPLAY set to something silly
• With no controlling terminal (this is what setsid does)

Which you put together in the following sh command:

SSH_ASKPASS="/path/to/saypass" DISPLAY=anything setsid ssh username@hostname [command]

ssh will execute

/path/to/saypass "username@hostname's password:"

Fingerprint check

If the fingerprint is needed, where you'd normally see the message

The authenticity of host '*hostname* (*ipaddress*)' can't be established.
ECDSA key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
Are you sure you want to continue connecting (yes/no)? 

Then ssh will run your command like this:

/path/to/saypass "Please type 'yes' or 'no':"

All-in-one script

The following is a single script for creating, using, and removing a saypass within the main script. Everyone will tell you do not put plaintext passwords in files and also never hardcode a password . They tell you this for good reason: it will cause you a lot of trouble. Use at your own risk.

#!/bin/sh

echo "#!/bin/sh\necho 'secret';rm -f /tmp/saypass.$$" > /tmp/saypass.$$
chmod 775 /tmp/saypass.$$
SSH_ASKPASS="/tmp/saypass.$$" DISPLAY=anything setsid ssh "$@"

SCP

This also works for scp , the copy program on top of ssh :

SSH_ASKPASS=/path/to/saypas DISPLAY=anything setsid scp username@hostname:/path/to/farfile .

Caveat

Really don't use this except in dire, dire, circumstances, such as where you have hundreds of computers and you can't install anything like ssh keys, sshpass even expect .

If you do use it, please don't tell anyone I told you how to do it. It really is terrible.

I don't know what the man page means about "open an X11 window", no such thing happens in my testing.

Tested on

• OpenSSH_6.6.1p1 Ubuntu-2ubuntu2, OpenSSL 1.0.1f 6 Jan 2014 on Ubuntu 14.04.1 LTS,
• OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g 1 Mar 2016 on Ubuntu 16.04.2 LTS
• OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017 on Ubuntu 18.04.5 LTS