Automatically enter SSH password with script
Automatically enter SSH password with script
I need to create a script that automatically inputs a password to OpenSSH ssh client.
ssh
Let's say I need to SSH into myname@somehost with the password a1234b.
myname@somehost
a1234b
I've already tried...
#~/bin/myssh.sh
ssh myname@somehost
a1234b
...but this does not work.
How can I get this functionality into a script?
key exchange is the better way to handle this. Alternatively you can use expect scripts.
– ernie
Aug 30 '12 at 17:47
How do I do either of these?
– user1467855
Aug 30 '12 at 17:48
@user1467855, can you confirm that you have only one host you wish to log into? And that you wish to be able to log into this from any computer?
– Aaron McDaid
Aug 30 '12 at 18:37
13 Answers
13
First you need to install sshpass.
apt-get install sshpass
yum install sshpass
pacman -S sshpass
Example:
sshpass -p "YOUR_PASSWORD" ssh -o StrictHostKeyChecking=no YOUR_USERNAME@SOME_SITE.COM
Custom port example:
sshpass -p "YOUR_PASSWORD" ssh -o StrictHostKeyChecking=no YOUR_USERNAME@SOME_SITE.COM:2400
Notes:
sshpass
-f
-f
ps
This is much better than using Expect.
– Per Mejdal Rasmussen
Jul 19 '13 at 7:59
great answer! solved my problem in 20 seconds
– Lucas
Mar 7 '14 at 21:02
just be aware that while sshpass blocks your password from commands like
ps -aux, you shouldn't normally run commands by typing your password because other users on the same computer may be able to see the password by running ps -aux. if practical, you also want to use public key authentication instead, as mentioned in the other answer. this allows you to separate authentication info from your script so you can share your script with others worry-free, and later decide to enable encryption on your ~/.ssh folder without also encrypting your script.– Alexander Taylor
Oct 30 '14 at 0:33
ps -aux
ps -aux
@mauvm The link is currently working fine.
– abbotto
Jan 29 '16 at 18:18
for custom port to work add "-p port-number" at the end of command
– Ye Lwin Soe
Aug 29 '16 at 7:27
Use public key authentication: https://help.ubuntu.com/community/SSH/OpenSSH/Keys
In the source host run this only once:
ssh-keygen -t rsa # ENTER to every field
ssh-copy-id myname@somehost
That's all, after that you'll be able to do ssh without password.
I see. But I am REQUIRED to ssh with password. This is because, "I" may have the script on a thumb drive and need to run it from any computer; while not disabling the need for password.
– user1467855
Aug 30 '12 at 17:54
You can also store the private key on the said thumb drive.
– Kimvais
Aug 30 '12 at 18:21
@user1467855, I think you need to better explain your requirements. Nobody is suggesting that you have an unsecure network. In the public-key approach, it would still be possible for users to log in with the password. But you would copy the private key onto your thumb drive, which means the thumb drive would be the only thing that can log in without a password.
– Aaron McDaid
Aug 30 '12 at 18:36
Unfortunately, I am in OP situation, because the sysadmin disallows authentication by rsa/dsa keys and requires passwors. What are you gonna do.
– Karel Bílek
Apr 9 '13 at 21:33
Downvoted because this doesn't even try to answer the actual question asked.
– Parthian Shot
Sep 6 '16 at 18:06
After looking for an answer for the question for months, I finally find a really best solution: writing a simple script.
#!/usr/bin/expect
set timeout 20
set cmd [lrange $argv 1 end]
set password [lindex $argv 0]
eval spawn $cmd
expect "assword:"
send "$passwordr";
interact
Put it to /usr/bin/exp, then you can use:
/usr/bin/exp
exp <password> ssh <anything>
exp <password> scp <anysrc> <anydst>
Done!
This answer should get more votes imo, it is a great wrapper. Just tried a few common operations like rsyncing with various flags and remote command execution and it worked every time. Added to my toolbox of useful scripts, Thanks @damn_c!
– user2082382
May 9 '16 at 11:12
I used this to get around having to type in a password every time I ran an Ansible script on a new server instance that did not yet have my key in ~/.ssh/authorized_keys.
exp <password> ansible-playbook set-user-remove-password-login.yml -k To my great pleasure, the password was typed in when ansible prompted me with the SSH password:– DMfll
Jun 11 '16 at 23:19
exp <password> ansible-playbook set-user-remove-password-login.yml -k
The reason why this is IMO not a very good answer is because the password is written in the script which is by far the least secure method...
– PierreE
Mar 23 '17 at 0:46
The password will be visible by anyone who runs ps on the machine.
– Daniel Persson
Jun 29 '17 at 13:31
"assword" is amazing :-)
– Ciro Santilli 新疆改造中心 六四事件 法轮功
Jul 29 '17 at 9:29
You could use an expects script. I have not written one in quite some time but it should look like below. You will need to head the script with #!/usr/bin/expect
#!/usr/bin/expect -f
spawn ssh HOSTNAME
expect "login:"
send "usernamer"
expect "Password:"
send "passwordr"
interact
I did as you suggested but get the following errors:
/bin/myssh.sh: 2: spawn: not found /bin/myssh.sh: 3: expect: not found /bin/myssh.sh: 4: send: not found /bin/myssh.sh: 5: expect: not found /bin/myssh.sh: 6: send: not found– user1467855
Aug 30 '12 at 18:02
/bin/myssh.sh: 2: spawn: not found /bin/myssh.sh: 3: expect: not found /bin/myssh.sh: 4: send: not found /bin/myssh.sh: 5: expect: not found /bin/myssh.sh: 6: send: not found
Thanks Aaron for modifying my answer to be correct. You may need to run the below command to find the correct path to put in for expect.
which expect– Lipongo
Aug 30 '12 at 19:53
which expect
@user1467855, I updated Lipongo's answer slightly.
– glenn jackman
Aug 30 '12 at 22:25
You can also use this shebang line:
#!/usr/bin/env expect– glenn jackman
Aug 30 '12 at 22:26
#!/usr/bin/env expect
I added
interact to the end so the ssh session is actually interactive– Karel Bílek
Apr 9 '13 at 22:02
interact
Variant I
sshpass -p PASSWORD ssh USER@SERVER
Variant II
#!/usr/bin/expect -f
spawn ssh USERNAME@SERVER "touch /home/user/ssh_example"
expect "assword:"
send "PASSWORDr"
interact
The
-p flag is for specifying a port number.– Kookerus
Nov 18 '15 at 21:15
-p
No. sshpass is not ssh.
SYNOPSIS sshpass [-ffilename|-dnum|-ppassword|-e] [options] command arguments– RemiZOffAlex
Nov 19 '15 at 18:03
SYNOPSIS sshpass [-ffilename|-dnum|-ppassword|-e] [options] command arguments
My bad, I read it as ssh.
– Kookerus
Nov 19 '15 at 18:50
In order to run sshpass in Linux CentOS you must
yum -y install epel-release and then yum -y install sshpass– Junior M
Sep 28 '16 at 18:14
yum -y install epel-release
yum -y install sshpass
In this context of this data can be ignored
– RemiZOffAlex
Sep 28 '16 at 22:43
# create a file that echo's out your password .. you may need to get crazy with escape chars or for extra credit put ASCII in your password...
echo "echo YerPasswordhere" > /tmp/1
chmod 777 /tmp/1
# sets some vars for ssh to play nice with something to do with GUI but here we are using it to pass creds.
export SSH_ASKPASS="/tmp/1"
export DISPLAY=YOURDOINGITWRONG
setsid ssh root@owned.com -p 22
reference: https://www.linkedin.com/pulse/youre-doing-wrong-ssh-plain-text-credentials-robert-mccurdy?trk=mp-reader-card
I think this article is just being sarcastic!
– Yan Foto
Oct 21 '16 at 15:09
sshpass
I stumbled on this thread while looking for a way to ssh into a bogged-down server -- it took over a minute to process the SSH connection attempt, and timed out before I could enter a password. In this case, I wanted to be able to supply my password immediately when the prompt was available.
(And if it's not painfully clear: with a server in this state, it's far too late to set up a public key login.)
sshpass to the rescue. However, there are better ways to go about this than sshpass -p.
sshpass
sshpass -p
My implementation skips directly to the interactive password prompt (no time wasted seeing if public key exchange can happen), and never reveals the password as plain text.
#!/bin/sh
# preempt-ssh.sh
# usage: same arguments that you'd pass to ssh normally
echo "You're going to run (with our additions) ssh $@"
# Read password interactively and save it to the environment
read -s -p "Password to use: " SSHPASS
export SSHPASS
# have sshpass load the password from the environment, and skip public key auth
# all other args come directly from the input
sshpass -e ssh -o PreferredAuthentications=keyboard-interactive -o PubkeyAuthentication=no "$@"
# clear the exported variable containing the password
unset SSHPASS
note to self: update script to use
trap to prevent ctrl-C from leaking the SSHPASS variable– Ian
Mar 28 at 2:25
trap
SSHPASS
sshpass + autossh
One nice bonus of the already-mentioned sshpass is that you can use it with autossh, eliminating even more of the interactive inefficiency.
sshpass
autossh
sshpass -p mypassword autossh -M0 -t myusername@myserver.mydomain.com
This will allow autoreconnect if, e.g. your wifi is interrupted by closing your laptop.
Note that you can't add option
-f to autossh in this combination, because when used with autossh, ssh will be *unable* to ask for passwords or passphrases. harding.motd.ca/autossh/README.txt also superuser.com/questions/1278583/…– allenyllee
Aug 23 at 15:49
-f
when used with autossh, ssh will be *unable* to ask for passwords or passphrases.
I got this working as follows
.ssh/config was modified to eliminate the yes/no prompt - I'm behind a firewall so I'm not worried about spoofed ssh keys
host *
StrictHostKeyChecking no
Create a response file for expect i.e. answer.expect
set timeout 20
set node [lindex $argv 0]
spawn ssh root@node service hadoop-hdfs-datanode restart
expect "*?assword {
send "passwordr" <- your password here.
interact
Create your bash script and just call expect in the file
#!/bin/bash
i=1
while [$i -lt 129] # a few nodes here
expect answer.expect hadoopslave$i
i=[$i + 1]
sleep 5
done
Gets 128 hadoop datanodes refreshed with new config - assuming you are using a NFS mount for the hadoop/conf files
Hope this helps someone - I'm a Windows numpty and this took me about 5 hours to figure out!
I have a better solution that inclueds login with your account than changing to root user.
It is a bash script
http://felipeferreira.net/index.php/2011/09/ssh-automatic-login/
The answer of @abbotto did not work for me, had to do some things differently:
To get key-exchange to work from a thumbdrive, you have to copy your private key to your drive, and specify it in your ssh command (to avoid using the local accounts private key), e.g.:
ssh -i id_rsa host
Alternatively, you could use expect (which is a separate script from shell). Here's a previous question regarding SSH and expect.
Note that anyone will be able to open the expect script and see the login credentials in plain text.
I get the same error I got to @Lipongo 's suggestion.
– user1467855
Aug 30 '12 at 18:22
Why key exchange would not work?
– Kimvais
Aug 30 '12 at 18:22
@Kimvais The host will keep changing if he's running off a thumbdrive
– ernie
Aug 30 '12 at 18:23
What host will keep changing?
– Kimvais
Aug 30 '12 at 18:24
Ah, I guess you're suggesting to use
ssh -i private_key on the thumb drive . . . edited my answer to reflect that– ernie
Aug 30 '12 at 18:34
ssh -i private_key
To connect remote machine through shell scripts , use below command:
sshpass -p PASSWORD ssh -o StrictHostKeyChecking=no USERNAME@IPADDRESS
where IPADDRESS, USERNAME and PASSWORD are input values which need to provide in script, or if we want to provide in runtime use "read" command.
IPADDRESS
USERNAME
PASSWORD
What does this answer show on top of existing answers? + Never ever suggest anyone to use
StrictHostKeyChecking=no without explaining the consequences.– Martin Prikryl
Aug 12 '17 at 16:48
StrictHostKeyChecking=no
Thank you for your interest in this question.
Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?
Use public key authentication.
– jordanm
Aug 30 '12 at 17:45