SSH password automation in Linux with sshpass
In this blog I tried to give some explanation and example of SSH password automation in Linux with sshpass.
What is sshpass in linux?
sshpass utility is designed to run SSH using the keyboard-interactive password authentication mode, but in a non-interactive way.
SSH uses direct TTY access to ensure that the password is indeed issued by an interactive keyboard user.
sshpass runs SSH in a dedicated TTY, fooling SSH into thinking it is getting the password from an interactive user.
Install sshpass on linux
You can install
sshpass with this simple command:
# yum install sshpass
Specify the command you want to run after the
sshpass options. Typically, the command is
ssh with arguments, but it can also be any other command. The SSH password prompt is, however, currently hardcoded into
The synopsis for the
sshpass command is described below:
sshpass [-ffilename|-dnum|-ppassword|-e] [options] command arguments
-ppassword The password is given on the command line. -ffilename The password is the first line of the file filename. -dnumber number is a file descriptor inherited by sshpass from the runner. The password is read from the open file descriptor. -e The password is taken from the environment variable "SSHPASS".
To better understand the value and use of
sshpass, let’s look at some examples with several different utilities, including SSH, Rsync, Scp, and GPG.
Example 1: SSH
sshpass to log into a remote server by using SSH. Let’s assume the password is
!4u2tryhack. Below are several ways to use the sshpass options.
A. Use the
-p (this is considered the least secure choice and shouldn’t be used):
$ sshpass -p !4u2tryhack ssh firstname.lastname@example.org
-p option looks like this when used in a shell script:
$ sshpass -p !4u2tryhack ssh -o StrictHostKeyChecking=no email@example.com
B. Use the
-f option (the password should be the first line of the filename):
$ echo '!4u2tryhack' >pass_file $ chmod 0400 pass_file $ sshpass -f pass_file ssh firstname.lastname@example.org
Here is the
-f option when used in shell script:
$ sshpass -f pass_file ssh -o StrictHostKeyChecking=no email@example.com
C. Use the
-e option (the password should be the first line of the filename):
$ SSHPASS='!4u2tryhack' sshpass -e ssh firstname.lastname@example.org
-e option when used in shell script looks like this:
$ SSHPASS='!4u2tryhack' sshpass -e ssh -o StrictHostKeyChecking=no email@example.com
Example 2: Rsync
$ SSHPASS='!4u2tryhack' rsync --rsh="sshpass -e ssh -l username" /custom/ host.example.com:/opt/custom/
The above uses the
-e option, which passes the password to the environment variable SSHPASS
We can use the
-f switch like this:
$ rsync --rsh="sshpass -f pass_file ssh -l username" /custom/ host.example.com:/opt/custom/
Example 3: Scp
$ scp -r /var/www/html/example.com --rsh="sshpass -f pass_file ssh -l user" host.example.com:/var/www/html
Example 4: GPG
You can also use
sshpass with a GPG-encrypted file. When the
-f switch is used, the reference file is in plaintext. Let’s see how we can encrypt a file with GPG and use it.
First, create a file as follows:
$ echo '!4u2tryhack' > .sshpasswd
Next, encrypt the file using the
$ gpg -c .sshpasswd
Remove the file which contains the plaintext:
$ rm .sshpasswd
Finally, use it as follows:
$ gpg -d -q .sshpassword.gpg > pass_file; sshpass -f pass_file ssh firstname.lastname@example.org
sshpass is a simple tool that can be of great help to sysadmins. This doesn’t, by any means, override the most secure form of SSH authentication, which is public-key authentication. However,
sshpass can also be added to the sysadmin toolbox.