SSH login with clear text password as a parameter?

linux ubuntu ssh security login

614,156

Solution 1

On Ubuntu, install the sshpass package, then use it like this:

sshpass -p 'YourPassword' ssh user@host

sshpass also supports passing the keyboard-interactive password from a file or an environment variable, which might be a more appropriate option in any situation where security is relevant. See man sshpass for the details.

Solution 2

If your alternative is to put a password into a script or ssh command line or plain text file, then you're MUCH better off using an ssh key instead. Either way, anyone who has access to the account where the ssh client script is stored would be able to use that to get into the server, but at least in the case of an ssh key, OpenSSH supports it properly, you don't grant access by other means than ssh, it's more easily revoked if necessary, etc...

You will have to explain why you have a requirement to not use an ssh key.

Consider also using a forced command (command="..." in the .ssh/authorized_keys file) so that the client only has access to run the command they need on the server rather than a full shell.

Solution 3

First of, like the other respondents, I recommend just using ssh keys. But I will assume that the person controlling the server is simply not going to allow you to use ssh key authentication and you must use password authentication.

You can use ControlMaster and ControlPath.

Let A be the server that you won't have access to (think continuous integration server like Bamboo) and C be the remote host running Ubuntu.

Now let B be some computer that you control. If you can not provide a suitable B computer, this answer will not work.

Create a key pair and add the public part to B's authorized_keys file. Give A the private key. Now you can log into B from A without a password.
On B manually ssh -M -S /tmp/controlpath C and enter your password at the prompt. After that you should be able to log into C from A without a password ssh -S /tmp/controlpath C.

In the script on A you can write ssh B ssh C dostuff.

Every time you reboot B, you will have to reestablish the connection ssh -M -S /tmp/controlpath C.

614,156

mmla

Updated on September 18, 2022

Comments

mmla over 1 year

I need to login to a user that I've created on a remote host running Ubuntu. I can't use an ssh key because the ssh login will happen from a bash script ran within a server that I won't have access to (think continuous integration server like Bamboo).

I understand this isn't an ideal practice, but I want to either set the remote host to not ask for the password or be able to login with something like ssh --passsword foobar user@host, kind of like MySQL allows you to do for logins.

I'm not finding this in man ssh and I'm open to any alternatives to getting around this issue.
- Ciro Santilli Путлер Капут 六四事 over 8 years
  
  serverfault.com/questions/241588/…
- Vadim Sluzky over 7 years
  
  The secure way is to generate SSH key with ssh-keygen -t rsa -b 2048 and use this key to log into the remote server as alternative you can install "sshpash" and then you can ssh your machine with following command sshpass -p 'password' ssh username@servername
- AhmadKarim about 7 years
  
  The question this is redirected to is not the same as this one. This one is asking for a way to initiate an interactive session.
mmla almost 12 years

The remote host is actually a VM used by other engineers with no resources worth risking other than copies of test automation code. For the sake of the discussion, let say the only access I have is to add the script file, not add ssh keys in ~/.ssh/.
Celada almost 12 years

That's highly contrived. A somewhat less contrived scenario would be that a misguided administrator of the server disabled ssh key logins (PubkeyAuthentication no in /etc/ssh/sshd_config). In either case, the better solution is to fix the underlying problem that prevents you from doing ssh key logins. Failing that, consult the question pointed to by Gilles.
phemmer almost 12 years

@MichaelM you dont have to add ssh keys in ~/.ssh/. Add the key wherever you want and use ssh -i /path/to/id_rsa
jippie almost 12 years

Loging in to a server with a keypair is much easier to script than a password. If it is the first time you're setting up keys for use with SSH, you might want to look for a good howto.
emory almost 12 years

@MichaelM if the only access you have is to add the script file, then you can hardcode the key in the script file: echo -----BEGIN RSA PRIVATE KEY----- > ${IDENTITY_FILE} ; echo MIIEoQIBAAKCAQEAv1tQry1qWlLn1Kp3uX2/4bT0z9Cbre/zj1fnchVinPqB‌Hrd1 >> ${IDENTIFY_FILE} ...
Michael Sondergaard about 11 years

Althought is not recommended and not a good practice this is exactly the answer to the question. Consider using keys as stated above. But if there's a major tech issue this is the solution asked
Henley about 10 years

I only upvote the answer. Not "rational why don't you do it this way instead" answers. Just the answer. hence, I upvoted you :)
Vality almost 10 years

Sorry to revive this old thread, but I have a real application here, I am trying to ssh into a machine with a read only file-system (read only as it is rom) and no ramdisks. It does not have any public keys on it so am stuck...
Celada almost 10 years

@Vality if it is truly read-only, how did you set your password on this system in the first place? Or was the root password factory-installed and unchangeable? Sounds pretty scary. Usually these types of systems have a small read-write storage area to store configuration, etc... In any case, if that's what you have to work with, maybe you could use a long-lived session with a master socket (look up command line option -M) which you set up once manually and then your script is a slave connection piggybacked on that session.
Vality almost 10 years

@Celada as you say, the device has a preset root password and this cannot be changed (without perhaps physically modifying he device). (unfortunately the password is not at all strong either which concerns me also). However that looks like a really interesting idea, I had not seen that option before, I shall have a read of the man pages for it. Thanks, that is really handy.
wchargin over 9 years

Also note that other users on your machine will probably be able to see your password by running w.
user2936306 over 9 years

@WChargin For a more detailed explanation of how to "secure" the password from process listings by other users, have a look at this similar question.
Andrew Wolfe about 9 years

I don't completely hate sshpass, in fact I'm using it on a temporary basis. However using '-p' is unnecessary and undesirable. Set the variable SSHPASS first and then do sshpass -e ssh <ssh-args>.
Saral Garg over 8 years

How about CentOS - which doesn't have sshpass?
brianpeiris almost 8 years

ssh-copy-id makes this effortless. Just run ssh-copy-id username@hostname
Vicky Dev over 7 years

How to install sshpass in Ubuntu 14.04, by default package not found by apt-get, so how to do it ?
user2936306 over 7 years

@VickyDev The sshpass package is part of the universe repository. Once enabled, you can install it normally using apt.
Shicheng Guo about 7 years

Not works if there are special character in the passwd, such "/","\", "?" and so on.
user2936306 about 7 years

@ShichengGuo try using the -f filename switch, which allows you to store the password in a file. See man sshpass for details.
L. Holanda about 7 years

Stackexchanges answer should answer the question not argue the question is correct. I have a valid scenario for this. I need to setup my ~/.ssh/authorized_keys in 95 different boxes. I wrote a script to push my authorized_keys file automatically, but still prompts for password. Having the script to prompt for the password once in the beginning would be nicer.
flarn2006 over 5 years

> You will have to explain why you have a requirement to not use an ssh key. Sorry, I have to downvote this. If you know the answer to the question, just give the answer.
Nick over 5 years

I agree with flarn2006. You cannot say "this question is dumb so here's an answer to a different question because I think it's a better question and I know the answer to it".
Aaa almost 4 years

If a device simply does not have a supported way to set up public key auth - and those do exist - then being on the high horse and preaching public key auth really doesn't help there. Hence the upvote on the actual answer with sshpass.
Fabian Röling over 3 years

This answer also works on Manjaro (Arch-based).