SSH Command Line Password Support
janfrode at tanso.net
Wed Aug 27 22:16:57 EST 2008
On 2008-08-27, djm at mindrot.org <djm at mindrot.org> wrote:
> That being said, there is no way we will add an option like this.
> OpenSSH already has a perfectly good way of "handsfree" authentication
> in the form of public keys. Furthermore, passwords-on-commandlines are
> trivially observable by other users on a shared system and have been
> rightly considered insecure since forever.
Unfortunately not every client can dictate how he's allowed
to authenticate towards an external server. We need to push
some data from non-shared system, to a windows (free-sshd?)
sftp server daily, and the admins there for some reason only
allow password-based authentication.
What would your answer be if you were in this situation ?
Say "no, this is impossible", or hack around it with expect?
> If you are thinking that such a hack is okay for your system because
> it is not shared with other users, then consider that any attacker who
> breaks into a low privilege account now has a perfect opportunity to
> steal a password to a different host.
I'd love to use rsa-keys if they would let me. Now they woun't,
and the lack of client side --password option force me to use an ugly
expect script, which is not very easy to have handle error conditions.
More information about the openssh-unix-dev