The recommended way when you need to do SSH communications (let it be SSH or SCP) from a script is to use secure public key authentiaction to authenticate with the other end. With this you can open SSH connections without putting any passwords to your scripts. But sometimes the best solution is what you can use (for example because of the configuration of the host you need to communicate is not suitable and you can’t change that). Usually on those cases you need to work with traditional username and password combination.

There are ways to send password from script to ssh (simple pipe does not work because ssh expect to get “interactive keyboard password authentication”). I have often seen examples for expect to do that, and the following articles have instructions how to do that: Use expect in bash script to provide password to SSH command, SSH login expect shell script to supply username and password, Expect with SSH, How to automate SSH login with password? and Automating ssh logins (without keys) with ‘expect’. Expect is a convent and well proven tools for many applications, but sometimes (especially on small embedded systems) it feels a bit heavy tool for the application (it is an extension to Tcl scripting language).

Sshpass is a tool for non-interactivly performing password authentication with SSH’s so called “interactive keyboard password authentication”. sshpass: Login To SSH Server / Provide SSH Password Using A Shell Script article gives some usage examples and sshpass man page gives rest of the details you need. Just get the source code from Sourceforge or Freecode and compile it to platform you need the utility (easy to compile). There are also ready made packages for example for Debian.

Before taking sshpass to use remember that most user should use SSH’s more secure public key authentiaction instead of this wrapper for password authentication. But if you know that you just can’t use public key authentiaction and you are forced to use just password, then just go on. I like use the -f option that reads the password from a file, so I don’t have to hard-code it to my shell scripts (makes the scripts itself less security sensitive).


Be the first to post a comment.

Leave a Comment

Your email address will not be published. Required fields are marked *