MAN page from OpenSuSE sshpass-1.06-9.5.x86_64.rpm
Section: Sshpass User Manual (1)
Updated: April 25, 2015Index
sshpass - noninteractive ssh password provider
] command arguments
This manual page documents the sshpass
sshpass is a utility designed for running ssh using the mode referredto as "keyboard-interactive" password authentication, but in non-interactive mode.
ssh uses direct TTY access to make sure that the password is indeed issued byan interactive keyboard user. Sshpass runs ssh in a dedicated tty, fooling itinto thinking it is getting the password from an interactive user.
The command to run is specified after sshpass' own options. Typically it will be"ssh" with arguments, but it can just as well be any other command. The passwordprompt used by ssh is, however, currently hardcoded into sshpass.
If no option is given, sshpass reads the password from the standard input. Theuser may give at most one alternative source for the password:
- The password is given on the command line. Please note the section titled"SECURITY CONSIDERATIONS".
- The password is the first line of the file filename.
- number is a file descriptor inherited by sshpass from the runner. Thepassword is read from the open file descriptor.
- The password is taken from the environment variable "SSHPASS".
- Set the password prompt. Sshpass searched for this prompt in the program'soutput to the TTY as an indication when to send the password. By defaultsshpass looks for the string "assword:" (which matches both "Password:" and"password:"). If your client's prompt does not fall under either of these,you can override the default with this option.
- Be verbose. sshpass will output to stderr information that should help debugcases where the connection hangs, seemingly for no good reason.
First and foremost, users of sshpass should realize that ssh's insistance ononly getting the password interactively is not without reason. It is close toimpossible to securely store the password, and users of sshpass should considerwhether ssh's public key authentication provides the same end-user experience,while involving less hassle and being more secure.The -p option should be considered the least secure of all of sshpass's options.All system users can see the password in the command line with a simple "ps"command. Sshpass makes a minimal attempt to hide the password, but such attempts are doomed to createrace conditions without actually solving the problem. Users of sshpass areencouraged to use one of the other password passing techniques, which are allmore secure.In particular, people writing programs that are meant to communicate the passwordprogramatically are encouraged to use an anonymous pipe and pass the pipe's readingend to sshpass using the -d option.
As with any other program, sshpass returns 0 on success. In case of failure, the followingreturn codes are used:
- Invalid command line argument
- Conflicting arguments given
- General runtime error
- Unrecognized response from ssh (parse error)
- Invalid/incorrect password
- Host public key is unknown. sshpass exits without confirming the new key.In addition, ssh might be complaining about a man in the middle attack. Thiscomplaint does not go to the tty. In other words, even with sshpass, the errormessage from ssh is printed to standard error. In such a case ssh's return codeis reported back. This is typically an unimaginative (and non-informative) "255"for all error cases.
Run rsync over SSH using password authentication, passing the password on thecommand line:
rsync --rsh='sshpass -p 12345 ssh -l test' host.example.com:path .To do the same from a bourne shell script in a marginally less exposed way:
SSHPASS=12345 rsync --rsh='sshpass -e ssh -l test' host.example.com:path .
Sshpass is in its infancy at the moment. As such, bugs are highly possible. Inparticular, if the password is read from stdin (no password option at all), itis possible that some of the input aimed to be passed to ssh will be read bysshpass and lost.Sshpass utilizes the pty
(7) interface to control the TTY for ssh. This interface,at least on Linux, has a misfeature where if no slave file descriptors are open, themaster pty returns EIO
. This is the normal behavior, except a slave pty maybe born at any point by a program opening /dev/tty
. This makes it impossibleto reliably wait for events without consuming 100% of the CPU.Over the various versions different approaches were attempted at solving this problem.Any given version of sshpass is released with the belief that it is working, but experiencehas shown that these things do, occasionally, break. This happened with OpenSSH version 5.6.As of this writing, it is believed that sshpass is, again, working properly.
- SECURITY CONSIDERATIONS
- RETURN VALUES
This document was created byman2html,using the manual pages.