2

My final goal is to use both ssh -f and sshpass together, although it is quite not works. ssh -f tries to fork from the ssh process and also sets stdin to read from /dev/null - what makes things difficult because sshpass gathers the ssh command, executes it and passes the password to it as input (stdin). I don't want to use & because basically it's not an elegant way to solve it. Also, sshpass does not support this incident.

Example for command: sshpass -p pass1234 ssh -L 1234:127.0.0.1:5678 -N -f root@1.2.3.4

If you either remove the '-f' flag or remove the 'sshpass' command you'll see it works great.

Does anyone have an idea how to solve this incident? Thanks.

DR J
  • 21
  • 1
  • 2
  • 1
    You can consider [public key authentication](https://www.ssh.com/ssh/key) and remove the need for a password altogether. – Piotr P. Karwasz Feb 23 '20 at 11:01
  • That's just not an option for anyone who would ask this question. – Aero Windwalker Mar 09 '20 at 00:34
  • @AeroWindwalker why is that? I searched for this question, and I would have asked it if it wasn't already here. I used public key authentication as a solution, which works great. – Jachdich Mar 12 '20 at 14:20

1 Answers1

3

Do NOT use sshpass. It's broken. And not only because of security considerations.

sshpass works by creating a pseudo-tty in which it runs ssh. The problem with sshpass + ssh -f is that ssh -f first authenticates the user, forks a child to handle the connection and then exits. But sshpass will pull the rug from under the child as soon as the parent ssh has exited, before the child had any chance to detach itself from the terminal (the pseudo-tty created by sshpass) and consequently it will be killed by a SIGHUP signal.

A workaround would be to give the child a little time to start:

sshpass -p password sh -c 'ssh -f -N ... user@host && sleep .1'

BTW, you can almost perfectly emulate sshpass with script(1):

{ sleep .1; echo password; } | script -q /dev/null -c 'ssh user@host cmd'

On BSD, you script has a different syntax:

{ sleep .1; echo password; } | script -q /dev/null ssh user@host cmd
  • `Do NOT use sshpass` what do you suggest instead? – Jachdich Mar 08 '20 at 20:06
  • sshpass is fine. In all cases where people would use it security is no concern. – Aero Windwalker Mar 09 '20 at 00:37
  • Also you cannot emulate emulate `sshpass` with `script(1)` for example your sshpass example does work but the script example doesn't. @mosvy – Aero Windwalker Mar 09 '20 at 05:13
  • @AeroWindwalker __1.__ sshpass is not fine, as the OP's problem shows, whose causes I have explained in my A __2.__ the script example works (since it's a hack/workaround, you may have to adjust the timeouts, and use the same trick as with sshpass in the command). __3.__ wrt the Bugs section of sshpass manpage: if you're in any way afiliated with sshpass, I suggest you study how xterm and other programs are doing it. Even my screeds ([here](https://unix.stackexchange.com/a/478969) and [here](https://unix.stackexchange.com/a/538271)) may help. You can easily use a pty master in blocking mode. –  Mar 11 '20 at 18:04
  • @Jachdich some instrumentation tool like expect/libexpect. It also has interfaces in other languages, not just tcl. For a quick & dirty hack, use script, as in my answer ;-) –  Mar 11 '20 at 18:06