Provide Password to Ssh Command Inside Bash Script, Without The Usage of Public Keys and Expect

  • Home
  • Languages
  • Linux
  • Provide Password to Ssh Command Inside Bash Script, Without The Usage of Public Keys and Expect

Provide password to ssh command inside bash script, Without the usage of public keys and Expect

First of all: Don't put secrets in clear text unless you know why it is a safe thing to do (i.e. you have assessed what damage can be done by an attacker knowing the secret).

If you are ok with putting secrets in your script, you could ship an ssh key with it and execute in an ssh-agent shell:

#!/usr/bin/env ssh-agent /usr/bin/env bash
KEYFILE=`mktemp`
cat << EOF > ${KEYFILE}
-----BEGIN RSA PRIVATE KEY-----
[.......]
EOF
ssh-add ${KEYFILE}

# do your ssh things here...

# Remove the key file.
rm -f ${KEYFILE}

A benefit of using ssh keys is that you can easily use forced commands to limit what the keyholder can do on the server.

A more secure approach would be to let the script run ssh-keygen -f ~/.ssh/my-script-key to create a private key specific for this purpose, but then you would also need a routine for adding the public key to the server.

Use Expect in a Bash script to provide a password to an SSH command

Mixing Bash and Expect is not a good way to achieve the desired effect. I'd try to use only Expect:

#!/usr/bin/expect
eval spawn ssh -oStrictHostKeyChecking=no -oCheckHostIP=no usr@$myhost.example.com

# Use the correct prompt
set prompt ":|#|\\\$"
interact -o -nobuffer -re $prompt return
send "my_password\r"
interact -o -nobuffer -re $prompt return
send "my_command1\r"
interact -o -nobuffer -re $prompt return
send "my_command2\r"
interact

Sample solution for bash could be:

#!/bin/bash
/usr/bin/expect -c 'expect "\n" { eval spawn ssh -oStrictHostKeyChecking=no -oCheckHostIP=no usr@$myhost.example.com; interact }'

This will wait for Enter and then return to (for a moment) the interactive session.

Using 'expect' command to pass password to SSH running script remotely

You are doing it wrong in two means:

  1. If you want expect to interact with ssh, you need to start ssh from expect script and not before.

  2. If you put the script (/path/to/script/test.sh) to stdin of ssh, you can't communicate with the ssh process any more.

You should rather copy the script to remote host using scp and then run it.

Expect script might look like this:

/usr/bin/expect <<EOF
spawn ssh -p$port root@$ip
expect "password"
send "$Spass\r"
expect "$ "
send "/path/to/script/on/remote/server/test.sh\r"
expect "$ "
interact
EOF

Automate SSH without using public key authentication or expect(1)

Use sshpass.

For example, when password is in password.txt file:

sshpass -fpassword.txt ssh username@hostname

(taken from the answer to a similar question)

Pass a password to ssh in pure bash

Since there were no exact answers to my question, I made some investigation why my code doesn't work when there are other solutions that works, and decided to post what I found to complete the subject.

As it turns out:

"ssh uses direct TTY access to make sure that the password is indeed
issued by an interactive keyboard user." sshpass manpage

which answers the question, why the pipes don't work in this case. The obvious solution was to create conditions so that ssh "thought" that it is run in the regular terminal and since it may be accomplished by simple posix functions, it is beyond what simple bash offers.

How to pass the password to su/sudo/ssh without overriding the TTY?

For sudo there is a -S option for accepting the password from standard input. Here is the man entry:

    -S          The -S (stdin) option causes sudo to read the password from
                the standard input instead of the terminal device.

This will allow you to run a command like:

echo myPassword | sudo -S ls /tmp

As for ssh, I have made many attempts to automate/script it's usage with no success. There doesn't seem to be any build-in way to pass the password into the command without prompting. As others have mentioned, the "expect" utility seems like it is aimed at addressing this dilemma but ultimately, setting up the correct private-key authorization is the correct way to go when attempting to automate this.


Related Topics

Why Docker Has Ability to Run Different Linux Distribution

What's an Alternative for Dtrace on Linux

Portable Way to Get File Size (In Bytes) in the Shell

How to Call Matlab Functions from the Linux Command Line

Find Unique Lines

When Setting Ifs to Split on Newlines, Why Is It Necessary to Include a Backspace

Remove Odd or Even Lines from a Text File

Linux Command History with Date and Time

Linux Command Line Howto Accept Pairing for Bluetooth Device Without Pin

Walking Page Tables of a Process in Linux

How to Capture All of My Compiler's Output to a File

How to Start Tomcat with Output on Console in Linux

What Is a Way to Read Man Pages in Vim Without Using Temporary Files

Parameter for Shell Scripts That Is Started with Qsub

How to Use Epollhup

How to Post Raw Body Data with Curl

Manage Source Under Git and Svn Simultanously - Does It Make Sense

Profiling a (Possibly I/O-Bound) Process to Reduce Latency


Leave a reply



Submit