Linux автоматический ввод пароля

How to automate SSH login with password?

This doesn’t work. I remember I did this with some tricks somebody guided me, but I can’t remember now the trick I used.

FreeBSD did not accept password-less keys. Don’t be tempted. However some Linux servers accepted it. I believe the Linux server was misconfigured.

This is a valid question. For example, I want to allow a user to enter a password, then login in to another machine using it. I can’t assume that there will be ssh keys distributed across all our machines. The answers below so far do not help this situation.

Very important question. I need an answer too, my webspace provider blocks to put keyfiles on the server, so I must pass the passwort without keyfiles.

Here is a purely bash answer, — file starts — #!/bin/bash [[ $1 =~ password: ]] && cat || SSH_ASKPASS=»$0″ DISPLAY=nothing:0 exec setsid «$@» — file ends— Save it as pass, do a chmod +x pass and then use it like this: $ echo mypass | ./pass ssh user@host

9 Answers 9

Don’t use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048 Generating public/private rsa key pair. Enter file in which to save the key (/home/username/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/username/.ssh/id_rsa. Your public key has been saved in /home/username/.ssh/id_rsa.pub. 

Copy your keys to the target server:

$ ssh-copy-id id@server id@server's password: 

Now try logging into the machine, with ssh ‘id@server’ , and check-in:

Note: If you don’t have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

These kinds of answers really, really annoy me. That wasn’t the question. Nobody asked how to use key pairs.

This does not answer the question. It is a good answer for a completely different question, but it is terrible for the one asked.

$ sudo apt-get install sshpass $ sshpass -p your_password ssh user@hostname 

Yup, sometimes you can’t use key based auth for various reasons.. for example right now I can’t use keyauth on a plesk server because out the box it’s not enabled and I don’t have root.

+1! As a side note, you need to run plain ssh once before using sshpass , in order to confirm the RSA fingerprint

-1 for having to use the password in the command. This logs the password at .bash_history in plain text on your machine.

Pro tip: If you don’t want to have a specific command show up in .bash_history, prefix the command with a space. It just works. However, users of this command should be more concerned that non-privileged users on the system can see the full command-line with ps, which, of course, includes the password. Since ssh sessions tend to be long-lived, this is a security issue.

While the correct answer for your question is sshpass (see other answer for details), there is a more secure way — SSH keys. You are just three easy steps away from the solution:

All the following commands are being run on the client side, i.e. your machine

Enter the following command to start generating a rsa keypair:

When the message ‘Enter file in which to save the key’ appears, just leave the filename blank by pressing Enter.

When the terminal asks you to enter a passphrase, just leave this blank (Warning: read below) too and press Enter.

Then copy the keypair onto the server with one simple command:

you can now log in without a password:

WARNING: Leaving SSH keys exposed without encrypting them is a not good practice even if you encrypt your whole drive. What is much safer is to actually enter a passphrase when generating keys and then use Keychain (MacOS, Linux) or SSH agent to remember the passphrase until you signout or suspend or timeout, depending on what you prefer.

Works fine with the default values. Using ~/rsa4live.pub didn’t work for me when attempting ssh-copy-id .

If you want this steps to work for different user, 1. ssh-keygen 2. ssh-copy-id nazir@hostname 3. ssh nazir@hostname

#!/usr/bin/expect -f # ./ssh.exp password 192.168.1.11 id set pass [lrange $argv 0 0] set server [lrange $argv 1 1] set name [lrange $argv 2 2] spawn ssh $name@$server match_max 100000 expect "*?assword:*" send -- "$pass\r" send -- "\r" interact 

# ./1.ex password localhost ooshro spawn ssh ooshro@localhost ooshro@localhost's password: Linux ubuntu-1010-server-01 2.6.35-25-generic-pae #44-Ubuntu SMP Fri Jan 21 19:01:46 UTC 2011 i686 GNU/Linux Ubuntu 10.10 Welcome to Ubuntu! * Documentation: https://help.ubuntu.com/ Last login: Tue Mar 1 12:41:12 2011 from localhost 

it will be good to add -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null for ssh command as well to avoid accept the machine into known_hosts

More detailed example of this script you can find at: linuxaria.com/howto/… This examples here should work with remote commands too

SSH single sign-on is usually achieved with public key authentication and an authentication agent. You could easily add your test VM key to an existing auth agent (see example below). Other methods such as gssapi/kerberos exist but are more complex.

sshpass

In situations where password is the only authentication method available, sshpass can be used to automatically enter the password. Please pay particular attention to the SECURITY CONSIDERATIONS section of the man page. In all three options, the password is visible or stored in plaintext at some point:

Anonymous pipe (recommended by sshpass)

# Create a pipe PIPE=$(mktemp -u) mkfifo -m 600 $PIPE # Attach it to file descriptior 3 exec 3<>$PIPE # Delete the directory entry rm $PIPE # Write your password in the pipe echo 'my_secret_password' >&3 # Connect with sshpass -d sshpass -d3 ssh user@host # Close the pipe when done exec 3>&- 

It is quite cumbersome in bash, arguably easier with programming languages. Another process could attach to your pipe/fd before the password is written. The window of opportunity is quite short and limited to your processes or root.

Environment variable

# Set your password in an environment variable export SSHPASS='my_secret_password' # Connect with sshpass -e sshpass -e ssh user@host 

You and root can read your process’ environment variables (i.e. your password) while sshpass is running ( cat /proc//environ | tr ‘\0’ ‘\n’ | grep ^SSHPASS= ). The window of opportunity is much longer but still limited to your own processes or root, not other users.

Command-line argument (least secure)

 sshpass -p my_secret_password ssh user@host 

This is convenient but less secure as described in the man page. Command line arguments are visible to all users (e.g. ps -ef | grep sshpass ). sshpass attempts to hide the argument, but there is still a window during which all users can see your password passed by argument.

Side note

Set your bash HISTCONTROL variable to ignorespace or ignoreboth and prefix your sensitive commands with a space. They won’t be saved in history.

SSH public key authentication

# Generate a key pair # Do NOT leave the passphrase empty ssh-keygen # Copy it to the remote host (added to .ssh/authorized_keys) ssh-copy-id user@host 

The passphrase is very important. Anyone somehow obtaining the private key file won’t be able to use it without the passphrase.

Setup the SSH authentication agent

# Start the agent eval `ssh-agent` # Add the identity (private key) to the agent ssh-add /path/to/private-key # Enter key passphrase (one time only, while the agent is running) 

The advantage is that your private key is encrypted and you only need to enter its passphrase once (via a safer input method too).

Источник

Automatically input a password when a bash script is run [duplicate]

How do I put the root password into the script so that it accepts it as the password when it reads and executes the sudo line (so I don’t have to type it manually)?

1 Answer 1

Spawning an expect session within your bash script is typically how you automate interactive prompts.

expect -c " spawn sudo setpci -s 00:02.0 F4.B=00 expect -nocase \"password:\" " 

Note that this isn’t the recommended approach in this case as it is a huge security hole to store your root password in a bash script.

The correct solution would be to edit your /etc/sudoers/ to not prompt you for a password for that binary.

#in /etc/sudoers neohexane ALL=(ALL) NOPASSWD : /usr/bin/setpci 

«isn’t recommended» seems like an understatement. I’d remove the expect solution altogether. Unless this is his own personal box, he should absolutely not be leaving the root password lying around in a plain text file.

I think it’s worth keeping as an example of how to use expect. I’ll emphasise how not recommended it is.

Leaving the password «Lying around» is the real problem with security. You can not automate a system unless the automatic has the password, and giving that password securely is a major pain. Even using the best method given. (using «—login-path»), is technically not real secure as the password is still there, just encrypted. Without more information what is to say a hacker that gets on the system can extract the password from the «.mylogin.cnf» file? Still it that is the most secure method so far.

Источник

How to enter password only once in a bash script needing sudo

Perhaps I’m missing something, but can you explain how this reduces the number of password prompts from two to one? Otherwise I don’t see how this answers the question.

@Oliphaunt I don’t see two password prompts, can you explain that? Also, this answer is not what OP wants, but what it needs. Is clean and proper solution when you need to run commands as root, and how other utilities do (check if root, otherwise bail out)

The OP’s problem (as I understand it) is that the user is prompted for their password by sudo and then (upon succesfully authenticating) again by mount . In their use case, these passwords are identical so I can see why the OP would like the user to only have to enter this password once. I don’t believe your solution helps with this. I do agree that one shouldn’t capture passwords.

Thanks, but I might have oversimplified the question a bit: It is a script already, already contains that test (except the 1>&2 ), is in the autostart and it used to be just one cifs share, but now it’s three, so really one password is needed. (It already contains that test in case someone else, not member of the operators group, tries to run it)

@Fabby I still think you are approaching the problem incorrectly. For these cases there are helper to «remember» the password of a CIFS/SMB share securely (editing ~/.smbcredentials for example), and even without the need of sudo (if you use gvfs, umount or polkit).

I’m dumb!

#!/bin/bash read -p "Password: " -s szPassword printf "%s\n" "$szPassword" | sudo --stdin mount -t cifs //192.168.1.1/home /media/$USER/home -o username=$USER,password="$szPassword" 

just works and:

1. Doesn’t create any files containing passwords
2. Allows the user to type only one password for multiple shares (including Windows ones)
3. Has no need for extra privileges to be granted. 🙂

Require no sudo password for executing this command; the password prompt for mount remains.

In sudoers , include something like

ALL ALL = NOPASSWD: /bin/mount -t cifs //*/* /media/* -o username=* 

After including this, sudo will no longer ask for a password for this specific command; the user still needs to provide a password to the mount command.

Note: I took the command verbatim from what you included in the question; I didn’t check whether its wildcards would allow for users to do something nasty. Read the sudoers manpage for examples of nastiness. In particular, note that this line in sudoers allows the user to add any number of -o switches or other arguments to mount . You may want to rethink your approach, e.g. by adding a script such as @Braiam proposes and allow running that through sudo without extra authentication. The script then ensures that users can only run the specific form of mount that you want them to run.

Also, instead of allowing this for all users, you could also limit this to members of a certain group, e.g. you could create a group cifsmount and then have

%cifsmount ALL = NOPASSWD: /bin/mount -t cifs //*/* /media/* -o username=* 

Источник