SSH Command Line Password Support

[Daniel Kahn Gillmor]

On Sat 2008-08-16 10:04:35 -0400, Dag-Erling Smørgrav wrote:

> GB <gusgl2001 at yahoo.com> writes:
>> I am interested in an ssh that is not interactive in requesting the
>> password, i.e, whereas I can specify the password in the command line
>> when calling SSH.
>
> ps -fe
>
> Just use a passphrase-less keypair.

On Tue 2008-08-26 16:12:18 -0400, GB wrote:

> I have successfully implemented the password in the argument line
> for both ssh and scp.
>
> I would be more than willing to share my code so that it will become
> an official part of ssh and scp to satisfy the needs of users out
> there using scripts and the like.
>
> I don't consider the code to be the most secure possible, but it
> took 10 minutes to implement in ssh and 20 on scp, so modifications
> by you to make it compliant would be minimal.

What Dag-Erling was pointing out above is that the command line
arguments of any process are visible to all users on most UNIX-style
systems simply by using the "ps" command.

This means that anything you put on the command line is not secure,
and it would be a mistake to for OpenSSH to encourage this behavior in
its users.

Dag-Erling also offered you another technique to achieve your stated
goal of "the needs of users out there using scripts", which is to use
a passphrase-less keypair for scripted connections.  You might want to
read Brian Hatch's "SSH User Identities" [0], and Matt Taggart's "Good
practices for using SSH" [1].

I'm afraid it would be ill-advised for OpenSSH to adopt your proposed
patch, since better, more secure options already exist.

Regards,

        --dkg

[0] http://www.securityfocus.com/infocus/1810
[1] http://lackof.org/taggart/hacking/ssh/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20080826/efa6f7ad/attachment.bin