[Bug 3258] New: Feature request: Ability to configure password authentication to be automatically read from file

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Feb 2 17:26:40 AEDT 2021 

https://bugzilla.mindrot.org/show_bug.cgi?id=3258

            Bug ID: 3258
           Summary: Feature request: Ability to configure password
                    authentication to be automatically read from file
           Product: Portable OpenSSH
           Version: 8.4p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: chrislambert at cmu.edu

Created attachment 3468
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3468&action=edit
My local patch (based on the Fedora 33 repo)

Right now, the only way to connect to hosts that require password
authentication is to enter in the password manually, or rely on a hack
using expect or sshpass.  The former is annoying, and the other options
are not configurable to specific hosts and become a burden to set up
with software that depends on ssh.  I propose adding an option
"PasswordFile" to the config that allows users to choose a file to use
the first line of as the password during auth instead of prompting the
user---similar to IdentityFile but for password auth.

My university systems (and from what I can tell some other
universities) disallow public-key authentication (due to technical
constraints with a custom FS from what I've been told), so I'm sure
there are a fair number of people who have been using workarounds to
automate this.  I've somewhat recently made a small patch to my
system's OpenSSH to have this feature, and it is substantially more
convenient and less frustrating to work with than sshpass or expect.  I
cleaned up the patch I used and attached it for reference, but it lacks
documentation/tests and I doubt it meets the general code standards for
OpenSSH (if this is something that would be good to add, I'd be fine
fixing that though).

As for the security of this, I personally can't think of a reason why
this would be too much worse than having non-passphrased private
keys/IdentityFiles on the filesystem, and a fair number of users who
might use this feature are probably already doing something similar
just with a workaround.  Then again, I would see why this might be
outside of what OpenSSH wants to encourage.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list