60

I want to pass a password to ssh using a bash script (Yes, I know that there are ssh keys that I could use, but this is not what I intend).

I found some solutions that were using expect but since it is not a standard bash tool I am wondering if I can do this using pipes.

Can someone explain to me, why exactly something like this:

echo "password\n" | ssh somehost.com

or

ssh somehost.com <(echo "password\n")

doesn't work? Is there any possibility to make it work? Maybe executing ssh as a different process, obtaining its PID and then sending a string directly to it?

Improve this question
4
  • you need to get sshpass Commented Jun 27, 2014 at 14:20
  • 6
    Related: serverfault.com/questions/241588/… Commented Jun 27, 2014 at 14:21
  • 1
    Though this question may sound off topic for stackoverflow, I didn't found it being asked anywhere else. The question and answer helped me understanding that, WHY the pipe didn't work for ssh. ("printf user/pass | vpn user@HOST" works. ) Commented Mar 1, 2015 at 4:14
  • Very closely related: How to pass password to scp? Commented Nov 9, 2021 at 2:16

3 Answers 3

Reset to default
88

You can not specify the password from the command line but you can do either using ssh keys or using sshpass as suggested by John C. or using a expect script.

To use sshpass, you need to install it first. Then

sshpass -f <(printf '%s\n' your_password) ssh user@hostname

instead of using sshpass -p your_password. As mentioned by Charles Duffy in the comments, it is safer to supply the password from a file or from a variable instead of from command line.

BTW, a little explanation for the <(command) syntax. The shell executes the command inside the parentheses and replaces the whole thing with a file descriptor, which is connected to the command's stdout. You can find more from this answer https://unix.stackexchange.com/questions/156084/why-does-process-substitution-result-in-a-file-called-dev-fd-63-which-is-a-pipe

Improve this answer
Sign up to request clarification or add additional context in comments.

12 Comments

This is not exactly answer to my question but thanks, sshpass is quite good solution for me.
Anyone knows where sshpass is located on the system? Could anyone tell me the path to it?
From a security perspective, passwords should never be passed on a command line -- command lines are visible to the entire system; even commands that change their command line after they started are vulnerable to capture in the interim. There are other, much safer usage patterns for sshpass if you must use that tool.
You might demonstrate sshpass -f <(printf '%s\n' your_password) ssh user@hostname in the answer, to have a better-practice approach highly visible. (Because printf is a shell builtin, it doesn't get executed as a separate command with its argv exposed via procfs).
$ brew search sshpass ... We won't add sshpass because it makes it too easy for novice SSH users to ruin SSH's security. That's comprehensive. Don't do noninteractive passwords. Do SSH keys.
|
51

Since there were no exact answers to my question, I made some investigation why my code doesn't work when there are other solutions that works, and decided to post what I found to complete the subject.
As it turns out:

"ssh uses direct TTY access to make sure that the password is indeed issued by an interactive keyboard user." sshpass manpage

which answers the question, why the pipes don't work in this case. The obvious solution was to create conditions so that ssh "thought" that it is run in the regular terminal and since it may be accomplished by simple posix functions, it is beyond what simple bash offers.

Improve this answer

6 Comments

Since you ended up linking to sshpass I think you should have given the other guy credit for the answer.
I suggest you to first read what the question was, instead of adding comments that bring nothing to the topic.
If your question is genuinely only about why thing-X doesn't work, your title should reflect that, as opposed to being about how to accomplish the goal that thing-X would otherwise be performing. Right now, the body of the question focuses on that area, but the title is all about accomplishing the task.
@CharlesDuffy How does "pure bash" does not reflect the need to use standard bash calls? What kind of mental workout have you done to come to such conclusion?
@BłażejMichalik, ...so, the point I've been making is that the title should have reflected the question's intent given in the body. I don't object to the OP's intent not to rely on tools not specified by POSIX, built into bash, or provided as part of the SSH package. I do object to their question's title being a poor fit to that question's intent.
|
0

If you need to use password authentication then more secure is to send the password from a password vault to your clipboard and then just paste it when prompted by ssh. In the following script a credential is passed to a password vault pass and then any additional arguments are passed to ssh. You can use the following script in other scripts to further automate ssh use.

For example

#!/bin/bash USAGE="USAGE: passtossh credential ..." [[ $# -lt 2 ]] && echo "$USAGE" && exit 64 CRED="$1" shift echo "Creating a ssh connection using credentials $CRED with parameters $@ ." echo "$(pass "$CRED")" | tr -d '\n' | pbcopy ssh $@

You can use this script like this (for example ssh to a host along with any additional parameters):

$ passtossh my_credential user@host -L 8888:localhost:8888

and when prompted just paste the password. Pbcopy is MacOS utility for sending stdin to clipboard. For windows clip, for linux see for example link.

Benefit is that password will not appear in logs and also the password can only be accessed by whatever authentication you have for the password vault.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.