29

How can you make SSH read the password from stdin, which it doesn't do by default?

olamundo
  • 21,047
  • 32
  • 99
  • 142

8 Answers8

24

based on this post you can do:

Create a command which open a ssh session using SSH_ASKPASS (seek SSH_ASKPASS on man ssh)

$ cat > ssh_session <<EOF
export SSH_ASKPASS="/path/to/script_returning_pass"
setsid ssh "your_user"@"your_host"
EOF

NOTE: To avoid ssh to try to ask on tty we use setsid

Create a script which returns your password (note echo "echo)

$ echo "echo your_ssh_password" > /path/to/script_returning_pass

Make them executable

$ chmod +x ssh_session
$ chmod +x /path/to/script_returning_pass

try it

$ ./ssh_session

Keep in mind that ssh stands for secure shell, and if you store your user, host and password in plain text files you are misleading the tool an creating a possible security gap

albfan
  • 10,988
  • 2
  • 49
  • 74
  • 2
    Another requirement is that DISPLAY must be set. If you are running X, you won't notice. If you aren't, you will. To make the ssh_script above more portable, add this: export DISPLAY; DISPLAY=dummy – Blaine Jan 06 '15 at 03:18
  • furthermore (or if you don't have setsid) - in addition to setting DISPLAY and SSH_ASKPASS, you may also need to direct STDIN from /dev/null to convince ssh-add that it's not on a terminal: ssh-add /path/to/key < /dev/null – mike Dec 19 '18 at 22:42
  • I used this idea for getting the passphrase from `pass`, to give to `ssh-add` in a generic way, generating the askpass script as needed. https://milosophical.me/blog/2018/ssh-pass.html – mike Dec 30 '18 at 00:01
  • can someone update the solution to take in the suggestions from the comments? – M. Barbieri Feb 22 '19 at 14:42
14

You can use sshpass which is for example in the offical debian repositories. Example:

$ apt-get install sshpass
$ sshpass -p 'password' ssh username@server
steffen
  • 13,255
  • 2
  • 36
  • 69
  • sadly this is the only solution I use, which isn't great for ssh jumphosts. The alternative is `expect`, which I'm guessing is more trouble than it's work. – Sridhar Sarnobat Dec 17 '18 at 19:14
  • 2
    Homebrew (macOS) has banned it :( " We won't add sshpass because it makes it too easy for novice SSH users to ruin SSH's security." – mike Dec 19 '18 at 22:26
10

You can't with most SSH clients. You can work around it with by using SSH API's, like Paramiko for Python. Be careful not to overrule all security policies.

pvoosten
  • 2,987
  • 24
  • 39
  • Any idea why it doesn't work? Intuitively it should. – Sridhar Sarnobat Dec 17 '18 at 19:14
  • 3
    It shouldn't work, because that would inspire junior sysadmins to write scripts with the SSH password entangled within the logic in the script. In an environment for network and system administration, there needs to be a clear separation between security-sensitive information on the one hand and getting things done on the other. Password authentication is just not safe enough. Since ssh is widely used in sysadmin contexts, trying to keep users away from password-only security is a good idea. – pvoosten Dec 25 '18 at 22:40
5

Distilling this answer leaves a simple and generic script:

#!/bin/bash
[[ $1 =~ password: ]] && cat || SSH_ASKPASS="$0" DISPLAY=nothing:0 exec setsid "$@"

Save it as pass, do a chmod +x pass and then use it like this:

$ echo mypass | pass ssh user@host ...

If its first argument contains password: then it passes its input to its output (cat) otherwise it launches whatver was presented after setting itself as the SSH_ASKPASS program.

When ssh encounters both SSH_ASKPASS AND DISPLAY set, it will launch the program referred to by SSH_ASKPASS, passing it the prompt user@host's password:

Community
  • 1
  • 1
starfry
  • 7,737
  • 5
  • 57
  • 81
  • You may need to also pass `-oStrictHostKeyChecking=no` to the `ssh` command, if you haven't SSH'd into this host before; otherwise it'll prompt the user for whether they trust the unknown host key. Obviously, only do this if you're _sure_ that you trust the unknown host key. – villapx Jul 17 '18 at 22:34
4

FreeBSD mailing list recommends the expect library.

If you need a programmatic ssh login, you really ought to be using public key logins, however -- obviously there are a lot fewer security holes this way as compared to using an external library to pass a password through stdin.

Mark Rushakoff
  • 224,642
  • 43
  • 388
  • 389
4

An old post reviving...

I found this one while looking for a solution to the exact same problem, I found something and I hope someone will one day find it useful:

  1. Install ssh-askpass program (apt-get, yum ...)
  2. Set the SSH_ASKPASS variable (export SSH_ASKPASS=/usr/bin/ssh-askpass)
  3. From a terminal open a new ssh connection without an undefined TERMINAL variable (setsid ssh user@host)

This looks simple enough to be secure but did not check yet (just using in a local secure context).

Here we are.

the Tin Man
  • 150,910
  • 39
  • 198
  • 279
pier
  • 41
  • 1
2

I'm not sure the reason you need this functionality but it seems you can get this behavior with ssh-keygen.

It allows you to login to a server without using a password by having a private RSA key on your computer and a public RSA key on the server.

http://www.linuxproblem.org/art_9.html

yyttr3
  • 109
  • 1
  • 10
1

a better sshpass alternative is : https://github.com/clarkwang/passh

I got problems with sshpass, if ssh server is not added to my known_hosts sshpass will not show me any message, passh do not have this problem.

Badr Elmers
  • 1,028
  • 10
  • 15