topic Re: providing password in script in Operating System - HP-UX

providing password in script

sen_ux — Sat, 29 Nov 2008 05:28:26 GMT

Hi All,

I need to ssh and scp to multiple servers.
How can I do this using a script.Password should be provided in the script, so that ssh/scp should not ask passwd for each server.

( Some way other than exchanging ssh key )

Thanks
sen

Re: providing password in script

Dennis Handly — Sat, 29 Nov 2008 06:07:34 GMT

Ideally, the whole purpose of ssh and scp is so you don't have to enter the password.

Re: providing password in script

Victor Fridyev — Sat, 29 Nov 2008 08:00:08 GMT

Do you want to insert user/password into a script ? IMHO, it's a bad idea.
Can you please explain why you don't want to use the standard SSH free password approach ?

Best

Re: providing password in script

James R. Ferguson — Sat, 29 Nov 2008 13:41:36 GMT

Hi Sen:

You can and should avoid passwords in scripts if you are automating Secure Shell functions like 'scp', 'sftp', etc.

Setup and use public keys among your servers.

These two links should provide you the information you need to easily do this:

http://sial.org/howto/openssh/publickey-auth/

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1254688&admit=109447626+1227965745456+28353475

The 'known_hosts' file contains the public host keys for all known hosts. The per-user version is maintained automatically. Thus, whenever you connect from an unknown host, its key is added to the per-user file if you choose to acknowledge the fingerprint. If you don't, the connection can still be made, but you will be prompted the next time as if you had never connected.

The manpages for 'sshd' and 'ssh' offer more information.

Regards!

...JRF...

Re: providing password in script

OldSchool — Sat, 29 Nov 2008 15:46:10 GMT

as noted, this is a *bad* idea. usual practice would be the key exchange to allow passwordless login.

As far as I know, the only workable alternative would be to use "expect" to script the connection.

Re: providing password in script

Bill Hassell — Sat, 29 Nov 2008 23:48:35 GMT

> ( Some way other than exchanging ssh key )

ssh and scp are encrypted communications protocols, commonly used to enhance security. By trying to put a password into a script, you have placed a security vulnerability into your environment, thus making ssh/scp much less secure. Setting up a public key is a commonly accepted method to run remote commands and copy files in a secure manner. Like any networking solution, the local user as well as the remote user should be evaluated as to allowed permissions. root-to-root should be evaluated. user-to-user makes more sense and for ssh commands, running sudo at the remote site is preferred over root access.

Re: providing password in script

rmueller58 — Mon, 26 Jan 2009 14:58:42 GMT

sen,

JRF has the answer,

You can use SCP or SFTP in batch mode but you need to define trusts between the two boxes in question.

Follow the links in his posts to define the key exchange, and then within your script you can use the
scp -B sourceuser@:/path/filename.ext /destination/filename

Re: providing password in script

Autocross.US — Mon, 26 Jan 2009 15:24:17 GMT

As stated above, using passwords in a script is a bad idea. The ssh/scp tools don't have command line options for passwords for this reason.

If you want to do this, you will need to use a tool like expect:

http://expect.nist.gov/

(Google ssh/scp expect for some sample scripts)

You can also check out the Perl Net::SSH module:
http://search.cpan.org/dist/Net-SSH-Perl/lib/Net/SSH/Perl.pm

There are also modules for Python and TCL that do this. Check around on google for samples.

key-based authentication is the way to go though. It doesn't require any add-on tools and is secure.

Re: providing password in script

Nick Bishop (Kiwi) — Tue, 27 Jan 2009 05:32:31 GMT

Like the others, I would use a public key.

To avoid problems with the private key requiring a pass-phrase, one should generate a second private/public pair without a pass-phrase, and at the remote end, you restrict that public key to doing the specific command(s) that you wish.

In a similar vein to the others, I suggest you read, read, read (or man, man, man), but hopefully I've suggested an approach and that you'll know what to look for when reading.

Anyone wanna suggest how to restrict a public key to scp only AND restrict it to a particular directory tree (so someone can't pick it up and mess around with the .profile, or to grab sensitive information)?

Nick.