Security of sshpass

Question

How much secure of using sshpass?

I read many discussions that sshpass is not secure, because it stores the password in log file as well as in history file. But if I use the following way, will it be secure?

pass=''
if [ "$pass" == "" ];then
read -s -p "Enter Your Password: " pass
fi
sshpass -p "$pass" ......

Answer 1

I would say that the two obvious issues with sshpass are

1. passwords are likely to be stored insecurely
2. the password is likely visible to any user having access to the machine, since the command-line parameters are visible by calling ps

Answer 2

Your code snippet is meaningless. If you're going to be reading the password from the user, might as well just run ssh. Sshpass isn't meant for replacing those use cases.

Also, sshpass doesn't store the password anywhere. Rather, in order to use sshpass in any meaningful way, you will need to store the password somewhere. This is less secure than using public key authentication. Sshpass was meant to be used in cases where a public key isn't an option.

One such common use case is cloud server providers that provision servers with some default password, but without working public key authentication. In order to get public key authentication up and running from a script, one must first do a password authentication. Sshpass bridges that gap.

In general, one should only use sshpass as a last resort, when no other alternative is available.

EDITED TO ADD

To plainly answer the question: sshpass is very secure. It does not leak your password in any way or form. Its use pattern, however, requires you to store the password in an insecure way.

In other words, sshpass is secure, but using it means you are doing insecure things. Just how insecure is up to you.