How to make ssh receive the password from stdin

Question

How can you make SSH read the password from stdin, which it doesn't do by default?

Answer 1

Automatically load ssh keys : Add to .bashrc and configure environment variable.

export SSH_DIR="${HOME}/.ssh"
command mkdir -p "${SSH_DIR}"
eval "$(ssh-agent -s)" >/dev/null 2>&1
export SSH_AUTH_SOCK="${SSH_AUTH_SOCK}"
export SSH_AGENT_LIFE=14400 # 4 hours
export SSHADD_OPTS=""
export PASS_SSH_ENTRY_PREFIX="_ssh"
if command -v pass &>/dev/null \
&& command -v gpg &>/dev/null \
; then
  for _public_key in "${SSH_DIR}"/*.pub ; do
    _private_key="${_public_key%.pub}"
    _entry="$(basename "${_private_key}")"
    if command pass ls "${PASS_SSH_ENTRY_PREFIX}/${_entry}" &>/dev/null ; then
      if ! command ssh-add -l | command grep -qF -- "$(command ssh-keygen -lf "${_public_key}")" &>/dev/null ; then
        _ask="${SSH_DIR}/ssh-askpass.sh"
        (\
          echo '#!/usr/bin/env -S bash -euo pipefail' ; \
          echo ; \
          echo "command pass '${PASS_SSH_ENTRY_PREFIX}/${_entry}/password' | command head -n 1" \
        ) > "${_ask}"
        command chmod u+x "${_ask}"
        DISPLAY="${DISPLAY:-dummy}" \
        SSH_ASKPASS_REQUIRE=force \
        SSH_ASKPASS="${_ask}" \
        command ssh-add -t "${SSH_AGENT_LIFE}" ${SSHADD_OPTS:-} "${_private_key}"
      fi
    fi
  done
  command rm -f "${_ask}"
  unset _public_key _private_key _entry _ask
  #echo ; ssh-add -l
fi

My pass ssh entries: $ pass _ssh/

_ssh
└── id_termux
    ├── cipher
    ├── note
    ├── password
    ├── privateKey.priv
    └── publicKey.pub
...

Answer 2

a better sshpass alternative is : https://github.com/clarkwang/passh

I got problems with sshpass, if ssh server is not added to my known_hosts sshpass will not show me any message, passh do not have this problem.

Answer 3

Distilling this answer leaves a simple and generic script:

#!/bin/bash
[[ $1 =~ password: ]] && cat || SSH_ASKPASS="$0" DISPLAY=nothing:0 exec setsid "$@"

Save it as pass, do a chmod +x pass and then use it like this:

$ echo mypass | pass ssh user@host ...

If its first argument contains password: then it passes its input to its output (cat) otherwise it launches whatver was presented after setting itself as the SSH_ASKPASS program.

When ssh encounters both SSH_ASKPASS AND DISPLAY set, it will launch the program referred to by SSH_ASKPASS, passing it the prompt user@host's password:

Answer 4

I'm not sure the reason you need this functionality but it seems you can get this behavior with ssh-keygen.

It allows you to login to a server without using a password by having a private RSA key on your computer and a public RSA key on the server.

http://www.linuxproblem.org/art_9.html

Answer 5

You can use sshpass which is for example in the offical debian repositories. Example:

$ apt-get install sshpass
$ sshpass -p 'password' ssh username@server

Answer 6

based on this post you can do:

Create a command which open a ssh session using SSH_ASKPASS (seek SSH_ASKPASS on man ssh)

$ cat > ssh_session <<EOF
export SSH_ASKPASS="/path/to/script_returning_pass"
setsid ssh "your_user"@"your_host"
EOF

NOTE: To avoid ssh to try to ask on tty we use setsid

Create a script which returns your password (note echo "echo)

$ echo "echo your_ssh_password" > /path/to/script_returning_pass

Make them executable

$ chmod +x ssh_session
$ chmod +x /path/to/script_returning_pass

try it

$ ./ssh_session

Keep in mind that ssh stands for secure shell, and if you store your user, host and password in plain text files you are misleading the tool an creating a possible security gap

Answer 7

An old post reviving...

I found this one while looking for a solution to the exact same problem, I found something and I hope someone will one day find it useful:

1. Install ssh-askpass program (apt-get, yum ...)
2. Set the SSH_ASKPASS variable (export SSH_ASKPASS=/usr/bin/ssh-askpass)
3. From a terminal open a new ssh connection without an undefined TERMINAL variable (setsid ssh user@host)

This looks simple enough to be secure but did not check yet (just using in a local secure context).

Here we are.

Answer 8

You can't with most SSH clients. You can work around it with by using SSH API's, like Paramiko for Python. Be careful not to overrule all security policies.

Answer 9

FreeBSD mailing list recommends the expect library.

If you need a programmatic ssh login, you really ought to be using public key logins, however -- obviously there are a lot fewer security holes this way as compared to using an external library to pass a password through stdin.