How to Automate SSH Login If You Should Use a Password
SSH does not have an easy way to send password over standard input, which makes it hard to automate.
While it’s not ideal for security, you can automate SSH password authentication in bash scripts using the sshpass utility.
Before we begin using automated passwords for SSH is considered bad practice for a reason.
In almost all cases, it’s better to use an SSH key, which I will show below. However, passwords do have the benefit of being easier to manage, remember, and distribute to team members.
Those are all simultaneously downsides for security, but that’s a tradeoff you may choose to make.
Using SSHPass
The regular ssh command does not have a --password flag to allow you to automate this easily. You will have to install a tool called sshpass to handle this explicitly. You can download it from most Linux package managers; for Debian based systems like Ubuntu, that would be:
sudo apt-get install sshpass
If you’re using sshpass from inside a script file, you can pass it in directly with the -p flag, followed by your standard SSH command:
sshpass -p 'password' ssh user@remote_ip
However, this is not good practice for a few reasons:
- If used outside of a script file, it exposes the plaintext password to Linux command history and other systems. Other Linux users may be able to see it.
- It may be unclear that there is a password buried in this script file, potentially leading to bad file permissions exposing it.
- It may be accidentally tracked in version control, and doesn’t allow changing of the password used on the clients.
Because of this, you should store the password in a file instead. Make sure to set the permissions on it to ensure it’s not accessible by other users.
echo "password" > password_file
chmod 600 password_file
Then, pass this to sshpass with -f:
sshpass -f password_file ssh user@remote_ip
Setting Up SSH Keys Instead
SSH keys are preferred for most systems. They’re much longer, as well as harder to accidentally leak, making them ideal for security.
They also encourage identity based authentication, since SSH keys are usually tied to the machine they’re created on.
SSH stores your public key in ~/.ssh/id_rsa.pub, which it uses for all requests. It’s easy to generate a new key file:
ssh-keygen
You need to add this to the ~/.ssh/authorized_keys file on the server you want to connect to. There’s a built in SSH command that can do this easily for you:
ssh-copy-id -i ~/.ssh/id_rsa.pub user@host
Once that’s done, you won’t be asked for a password anymore. You can copy this key to other machines, but usually it’s fine to just add multiple keys.
Alternative Methods For Reference
Using PSSH and PSCP
We also have a very handy tool written in python i.e. PSSH and PSCP where you can connect to multiple hosts by just entering the password once on the terminal. You can also setup password less login using private public key pair and then use the public key to connect to remote server without any password.
PSSH is part of EPEL repository which we had already installed in our previous section so we will just install PSSH.
dnf -y install pssh
Next we will generate a password less private public key pair
ssh-keygen -t rsa -P ""
We have to now create an ssh agent and bind it to the private key which PSSH will use:
eval `ssh-agent` ssh-add /root/.ssh/id_rsa
Now we can use PSSH to connect to remote server without worrying about password:
pssh -i -H "remote_ip_address" -l root -x "-o StrictHostKeyChecking=no -o GSSAPIAuthentication=no -o PreferredAuthentications=publickey -o PubkeyAuthentication=yes" hostname
Here I have used multiple SSH options to only use PubKeyAuthentication and disable other type of authentication methods.
I hope you were able to Login SSH using the above described methods successfully.
About the Creator
Motti Kumar
Hey guys i'm Motti Kumar and it’s a pleasure to be a guest blogger and hopefully inspire, give back, and keep you updated on overall cyber news or anything hot that impacts us as security enthusiast's here at Vocal Media.
Comments
There are no comments for this story
Be the first to respond and start the conversation.