I'm writing a script to automate running a specific command across multiple Linux systems. I am going to use something like:
read -s "Enter password" ANS
sshpass -p $ANS ssh server "some command"
Is there going to be a security concern on this?
Asked
Active
Viewed 2,507 times
-1
Cyrus
- 84,225
- 14
- 89
- 153
Dubious Programmer
- 33
- 1
- 6
-
The password will show up in `ps` output. – Barmar Apr 18 '18 at 20:57
-
Don't forget to quote variables: `-p "$ANS"`. – Barmar Apr 18 '18 at 20:57
-
2SO is for programming questions, not questions about using or configuring Linux and its applications. SuperUser.com or unix.stackexchange.com would be better places for questions like this. – Barmar Apr 18 '18 at 20:58
-
`read -s "Enter password" SSHPASS; export SSHPASS; sshpass -e ssh server "some command"; unset SSHPASS`? – Cyrus Apr 18 '18 at 21:01
-
Why make your script prompt for the password when `ssh` is perfectly capable of doing so itself, and more securely than your script can? – chepner Apr 18 '18 at 22:34
-
If you are serious about automation, you'll configure `ssh` to use private key authentication instead of requiring passwords. – chepner Apr 18 '18 at 22:36
-
@chepner - the script intiates multiple parallel background ssh connections and the prompts from ssh will be useles.. – Dubious Programmer Apr 23 '18 at 22:56
-
@AnupAdhikari Like I said, use private key authentication. – chepner Apr 23 '18 at 22:57
2 Answers
0
Your password, and any other command line arguments, will be visible to anyone else on the system using the ps command. A better alternative would be to use SSH key based login? Official Doc
bobmcn
- 1,027
- 9
- 23
-
-
1This was the output in ps command "sshpass -p zzzzzzzzzzzz ssh -oConnectTimeout=7 ..." so looks like password is not displayed – Dubious Programmer Apr 23 '18 at 22:54
0
The sshpass man page has a whole section on the security implications.
Users of sshpass are encouraged to use one of the other password passing techniques, which are all more secure.
In particular, people writing programs that are meant to communicate the password programatically are encouraged to use an anonymous pipe and pass the pipe's reading end to sshpass using the -d option.
So, if you must pass a password, they encourage the use of an anonymous pipe. You could also save the password to a file and use the -f flag instead.
If you're interested in security, key-based authentication is the best option. Sometimes this isn't reasonable as your target(s) has a lack of extra non-volatile memory to store a public key, but you should try to set up key-based auth if you can.
John Moon
- 924
- 6
- 10