1

I have written a bash script for my office usage to fetch some information from the devices using sshpass along with ssh command. As we know sshpass allows a password to be passed on the command line using -p option, which makes the password visible hence I want a password that needs to be prompted as user input on the screen itself.

The below script works fine, but I need a password to be prompted on the screen for user input. Please advise how this can be done, as I have googled around but did not get any concrete answer.

#!/bin/bash
#
# timestamp to be attached to the log file
TIMESTAMP=$(date "+%Y%m%d%H%M%S")

# logfile to collect all the Firmware Version of C7000 components
LOGFILE="/home/myuser/firmware_version-${TIMESTAMP}.log"

for host in $(cat enc_list);
do
        echo "========= $host =========";
        sshpass -p  my_password timeout -t 20 ssh -o "StrictHostKeyChecking no" $host  -l tscad  show firmware summary ;
done | tee -a "${LOGFILE}"
user294110
  • 145
  • 1
  • 2
  • 14
  • 1
    Put this before your `for` loop: `read -r -s -p "Password:" my_password` And replace `-p my_password` with `-p "$my_password"`. However, from a security point of view, I do not recommend it. – Cyrus Jun 27 '20 at 11:30
  • @Cyrus, yes that I tried earlier that works, however just wondering if there is a better way around.. Thanks again for comment. – user294110 Jun 27 '20 at 11:35
  • Take a look at option `-e` of sshpass to avoid password in commandline. – Cyrus Jun 27 '20 at 11:38
  • Tangentially, https://mywiki.wooledge.org/DontReadLinesWithFor – tripleee Jun 27 '20 at 11:39
  • Thanks @Cyrus, Yes, i've checked the `-e` option but `read -r -s -p` looks better rather hard-coding and exporting it. – user294110 Jun 27 '20 at 11:41
  • Have you considered using SSH keys to avoid the need to type a password in the first place? – chepner Jun 27 '20 at 14:36
  • @chepner, yes i did.. but as i said these are legacy devices where we don't have options to use or exchange ssh keys that's the reason i opted this way. – user294110 Jun 27 '20 at 17:08

3 Answers3

2

Avoid password in commandline:

read -r -s -p "Password:" SSHPASS
export SSHPASS
sshpass -e timeout ... ssh ...

From man sshpass:

-e: The password is taken from the environment variable "SSHPASS".

Cyrus
  • 84,225
  • 14
  • 89
  • 153
  • Thanks, Cyrus again for placing an answer here, I think we need to have `unset SSHPASS` once we have done with the script so, we can add that as well at the end that's what I am doing. +1 . – user294110 Jun 27 '20 at 11:45
  • Thanks again i marked it accepted as that's what my approach is, i'm ended up using `read -rsp $'Please Enter password below:\n' SSHPASS` – user294110 Jun 27 '20 at 12:10
0

Why are you using sshpass in the first place, as it is a utility that's only purpose is to circumvent the default behavior of ssh, which seems to be what you want to achieve?

From the man page:

sshpass is a utility designed for running ssh using the mode referred to as "keyboard-interactive" password authentication, but in non-interactive mode.

and further

Sshpass runs ssh in a dedicated tty, fooling it into thinking it is getting the password from an interactive user.

pguenther
  • 112
  • 8
  • pguenther, this is not the question about `why i am using it` , I know the nitty-gritty of using `sshpass` more i'm interesting it to make user input base for the password. – user294110 Jun 27 '20 at 11:13
  • Then I'm not getting your point here, I'm sorry. What speaks against using `ssh` without `sshpass`? – pguenther Jun 27 '20 at 11:24
  • There is a need to use `sshpass` due to some reason where I don't have option to securely connect on the legacy devices where no other option to fetch data and for now this only works... where with ssh alone, we need to put the password for every occurrence of server login which we don't want, hope you got my point. – user294110 Jun 27 '20 at 11:30
  • Now I think I see your point. Is using bash's `read` command once before iterating a solution for you? `read PASSWORD` will place a line of user input into the bash variable `$PASSWORD`. See [here](https://tldp.org/LDP/Bash-Beginners-Guide/html/sect_08_02.html) – pguenther Jun 27 '20 at 11:40
  • Thanks much for understanding, yes that what i stumped to use for now :-) – user294110 Jun 27 '20 at 11:43
0

Just for the sake of other users which may be looking for the same solution as I am in the near future.

#!/bin/bash
# OA_FirmwareCheck.sh
# timestamp to be attached to the log file
TIMESTAMP=$(date "+%Y%m%d%H%M%S")

# logfile to collect all the Firmware Version of C7000 components
LOGFILE="/home/myuser/firmware_version-${TIMESTAMP}.log"

# read is a builtin command of the Bash shell. It reads a line of text from standard input.
# -r option used for the "raw input", -s option used for Print the string prompt,
# while option -s tells do not echo keystrokes when read is taking input from the terminal.
# So, altogether it reads password interactively and save it to the environment
read -rsp $'Please Enter password:\n' SSHPASS
export SSHPASS

for host in $(cat enc_list);
do
        echo "========= $host =========";
        sshpass -e timeout -t 20 ssh -o "StrictHostKeyChecking no" $host  -l tscad  show firmware summary ;
done |  tee -a "${LOGFILE}"

# at last clear the exported variable containing the password
unset SSHPASS

Demo:

$ ./OA_FirmwareCheck.sh
Please Enter password below:

PTENC
Built: 04/06/2018 @ 06:14
OA Bay Number:  1
user294110
  • 145
  • 1
  • 2
  • 14