I want to use SSH
inside a script, but this script is not going to be executed on my machine.
In my implementation there are two limitations.
expect
because i do not know if it will be available on this machine.public keys
for the SSH
.What are the possible options-solutions ?
How can i provide ssh with the requested password with an automated and secure way without adding extra dependencies?
Will it be possible to provide the password inside the script?
Thank you all in advance :)
安装 sshpass,然后启动命令:
sshpass -p "yourpassword" ssh -o StrictHostKeyChecking=no yourusername@hostname
For security reasons you must avoid providing password on a command line otherwise anyone running ps command can see your password. Better to use sshpass utility like this:
#!/bin/bash
export SSHPASS="your-password"
sshpass -e ssh -oBatchMode=no sshUser@remoteHost
You might be interested in How to run the sftp command with a password from Bash script?
First of all: Don't put secrets in clear text unless you know why it is a safe thing to do (ie you have assessed what damage can be done by an attacker knowing the secret).
If you are ok with putting secrets in your script, you could ship an ssh key with it and execute in an ssh-agent
shell:
#!/usr/bin/env ssh-agent /usr/bin/env bash
KEYFILE=`mktemp`
cat << EOF > ${KEYFILE}
-----BEGIN RSA PRIVATE KEY-----
[.......]
EOF
ssh-add ${KEYFILE}
# do your ssh things here...
# Remove the key file.
rm -f ${KEYFILE}
A benefit of using ssh keys is that you can easily use forced commands to limit what the keyholder can do on the server.
A more secure approach would be to let the script run ssh-keygen -f ~/.ssh/my-script-key
to create a private key specific for this purpose, but then you would also need a routine for adding the public key to the server.
AFAIK there is no possibility beside from using keys or expect if you are using the command line version ssh
. But there are library bindings for the most programming languages like C, python, php, ... . You could write a program in such a language. This way it would be possible to pass the password automatically. But note this is of course a security problem as the password will be stored in plain text in that program
I completely agree with everybody who says this is almost certainly a terrible idea . It is extremely likely to allow others to attack your computers.
USE AT YOUR OWN RISK AFTER EVALUATING THE SECURITY HAZARDS
Make a program /path/to/saypass
which outputs the password, such as
#!/bin/sh
echo 'secret'
Make it executable with
chmod +x /path/to/saypass
Then this is the main command:
SSH_ASKPASS="/path/to/saypass" DISPLAY=anything setsid ssh username@hostname [farcommand]
This
SSH_ASKPASS
and DISPLAY
setsid
ssh
without a controlling terminal
hostname
saypass
locally to get the password farcommand
(if given), or an interactive shell. I normally test with date
or hostname
for the optional farcommand
.
There are lots of places for this to go wrong.
The trick to this is that standard Linux command line ssh
has a couple of environment variables you can use to choose a program which gets executed to supply the password.
ssh(1)
manual page says:
SSH_ASKPASS
Ifssh
needs a passphrase, it will read the passphrase from the current terminal if it was run from a terminal. Ifssh
does not have a terminal associated with it butDISPLAY
andSSH_ASKPASS
are set, it will execute the program specified bySSH_ASKPASS
and open an X11 window to read the passphrase.
So: you need a program (shell script or any other kind) which will output the password. Then you need to convince ssh
to use it:
SSH_ASKPASS
set to /path/to/saypass
DISPLAY
set to something sillysetsid
does) Which you put together in the following sh
command:
SSH_ASKPASS="/path/to/saypass" DISPLAY=anything setsid ssh username@hostname [command]
ssh
will execute
/path/to/saypass "username@hostname's password:"
If the fingerprint is needed, where you'd normally see the message
The authenticity of host '*hostname* (*ipaddress*)' can't be established.
ECDSA key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
Are you sure you want to continue connecting (yes/no)?
Then ssh
will run your command like this:
/path/to/saypass "Please type 'yes' or 'no':"
The following is a single script for creating, using, and removing a saypass
within the main script. Everyone will tell you do not put plaintext passwords in files and also never hardcode a password . They tell you this for good reason: it will cause you a lot of trouble. Use at your own risk.
#!/bin/sh
echo "#!/bin/sh\necho 'secret';rm -f /tmp/saypass.$$" > /tmp/saypass.$$
chmod 775 /tmp/saypass.$$
SSH_ASKPASS="/tmp/saypass.$$" DISPLAY=anything setsid ssh "$@"
This also works for scp
, the copy program on top of ssh
:
SSH_ASKPASS=/path/to/saypas DISPLAY=anything setsid scp username@hostname:/path/to/farfile .
Really don't use this except in dire, dire, circumstances, such as where you have hundreds of computers and you can't install anything like ssh keys, sshpass
even expect
.
If you do use it, please don't tell anyone I told you how to do it. It really is terrible.
I don't know what the man page means about "open an X11 window", no such thing happens in my testing.
Tested on
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.