SSH Command Line Password Support

Daniel Kahn Gillmor dkg-openssh.com at fifthhorseman.net
Thu Aug 28 01:17:40 EST 2008


On Wed 2008-08-27 08:16:57 -0400, Jan-Frode Myklebust wrote:

> Unfortunately not every client can dictate how he's allowed
> to authenticate towards an external server. We need to push
> some data from non-shared system, to a windows (free-sshd?)
> sftp server daily, and the admins there for some reason only
> allow password-based authentication.
>
> What would your answer be if you were in this situation ? 
> Say "no, this is impossible", or hack around it with expect? 
 
As Carson Gaspar pointed out elsewhere in this thread, the ssh-askpass
functionality is already present, and could be scripted.

For a shell with a builtin echo, you could do something like the
following (untested, may need tweaking) in a script, and it should not
leak into the process table:

authdir=$(mktemp -d)
mkfifo $authdir/pw
echo 'this is my not-so-secret-passphrase' > $authdir/pw
DISPLAY=nosuchdisplay SSH_ASKPASS="cat $authdir/pw" ssh foo at bar
rm -rf $authdir

Note that you want to make sure that ssh is not connected to a tty in
this case, or else it will try to ask for the password from the tty
anyway.  For scripts run from cronjobs, that shouldn't be a problem,
but testing them from your own shell might be confusing.  Jim Knoble
pointed out the possible use of setsid(1) for this very purpose a few
days ago on this list.

hth,

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20080827/bd9ba952/attachment.bin 


More information about the openssh-unix-dev mailing list