topic ssh problem in Operating System - HP-UX

ssh problem

yangk — Thu, 03 Dec 2009 04:51:26 GMT

Hi all,

I want to use the ssh login to a system without the passwd reading from the stdin,

For example, store password somewhere for ssh to get it or use environment variable.

I just want to use passwd to login, but without pass passwd or expect scripts,
so is there any method can work out?

Re: ssh problem

Steven Schweda — Thu, 03 Dec 2009 05:33:32 GMT

> I just want to use passwd to login, [...]

Why? With SSH, it's possible to use public
key authorization without using a password.

A Forum seatch for keywords like, say:
ssh publickey
or:
ssh public key
should find very many old threads on this
topic.

Re: ssh problem

yangk — Thu, 03 Dec 2009 05:38:01 GMT

Hi,

I know that the ssh can use the public key to do the authentication , but I just want to
use the passwd to login without pass the passwd.

I think the method i uesd is a strange method.

Re: ssh problem

Steven Schweda — Thu, 03 Dec 2009 06:06:57 GMT

> [...] I just want to use the passwd to
> login without pass the passwd.

If you can explain that so that it makes some
sense, then please do so.

You want to use the password to log in, but
you don't want to send the password to the
remote system? Does the remote system have
ESP?

Re: ssh problem

yangk — Thu, 03 Dec 2009 06:51:44 GMT

Hi,

Is there any method that the ssh can get
passwd from file or use pipe passing the passwd to the ssh?

Re: ssh problem

yangk — Thu, 03 Dec 2009 07:08:21 GMT

Hi,
Do you how to use SSH_ASKPASS with ssh?

Re: ssh problem

Russ Park — Fri, 04 Dec 2009 16:22:51 GMT

I have wondered about this issue for most of my UNIX Admin life. What I believe this fellow wants is to be able to programatically send the password through the ssh command. I totally get that it is rather meaningless if you just setup keys, but there are times I've thought this might be valuable. So, here is the question restated (I should not get points for answering unless the author wants to be nice :) "Is it possible to establish a login session using ssh using password authentication only, but having that password sent not by keyboard, but by some other programatic means?" If it were, a shell script command might look something like below:

cat mypass |xargs -i ssh host1 <{}

where you'd use some means of redirecting the contents of 'mypass', which stores your password into the command 'ssh host1' -

My guess, this is impossible, as I've tried, and had no success. Really, it kinda defeats the purpose of "Secure Shell" - and storing the password in a file is horribly insecure, yes? Nonetheless, I'd love to know if there's a way to do it!

Thanks!
Russ

Re: ssh problem

Steven Schweda — Fri, 04 Dec 2009 17:28:01 GMT

> I have wondered [...]

I haven't, but if I had, I'd've assumed that
"expect" would do the job. Perhaps a Forum
search for keywords like, say:
ssh expect
would find something useful.

> Really, it kinda defeats the purpose of
> "Secure Shell" [...]

Sure seems to.

Re: ssh problem

yangk — Mon, 07 Dec 2009 06:03:47 GMT

Hi Park,

What I want to do is just what you said.

Is there a way for ssh to get passwd not from the stdin but from a file or somethin else which contain the password.

I think the method is an odd way of ssh.

So we can discuss here about the issue.

Re: ssh problem

yangk — Mon, 07 Dec 2009 06:05:37 GMT

Hi Schweda,

I known that the expect script can reslove this problem of send the password to the ssh
automatic.

Re: ssh problem

Russ Park — Mon, 07 Dec 2009 17:09:22 GMT

(In response to yangk)

The 'expect' script? What is that? It's not an hpux or ksh command...

Thanks!

Re: ssh problem

Matti_Kurkela — Mon, 07 Dec 2009 18:31:10 GMT

The ssh client is specifically programmed to not accept passwords from standard input: it explicitly reads the terminal device, bypassing any input/output redirection. The "passwd" command does the same.

This is done intentionally to discourage users from writing scripts with embedded passwords. Accepting the password from an environment variable is not implemented, for the exact same reason.

This mechanism is not perfect: it can be bypassed with a bit of effort, but it is intended to make the user think about finding a better (hopefully more secure) way to solve his/her access or automation problem.

With password authentication, an unauthorized person needs only to read the script once, and then s/he can make unauthorized connections from any location that otherwise allows connections to the target system.

With SSH keys, you can place restrictions on keys at the server side, so that a particular key is accepted only if the connection comes from an IP address that is specifically listed as trusted for that key.

It is even possible to allow/force a certain key to always run one particular command only, so that even if the private key has been compromised, the server admin knows that the worst thing the intruder can do with the key is to keep doing what the legitimate user normally does.

For more information, type "man sshd" on your system and read the chapter titled "AUTHORIZED_KEYS FILE FORMAT".

Of course the SSH keys can be misused, just like anything else. But with SSH keys, at least you have a tool that allows you to achieve markedly better security with just a little bit of extra effort.

If your system is subject to security audits, you should always document your embedded passwords and other well-known security risks in advance. You should also document the technical reasons why the known-risky solution was chosen: "I did not want to use SSH keys" is not going to be an acceptable justification.

MK

Re: ssh problem

Russ Park — Mon, 07 Dec 2009 18:36:02 GMT

to MK:

Preaching to the chior, but I wasn't sure if there might not be a way to get around this. Assuming there's no way to get passwd or ssh to accept redirected output, then the discussion is closed as far as I'm concerned...

Thanks,
Russ

Re: ssh problem

Steven Schweda — Mon, 07 Dec 2009 21:35:56 GMT

> The 'expect' script? What is that? It's not
> an hpux or ksh command...

> [...] Perhaps a Forum
> search for keywords like, say:
> ssh expect
> would find something useful.

> Assuming there's no way [...]

That's one approach. Looking around is
another.

Re: ssh problem

yangk — Tue, 08 Dec 2009 01:57:05 GMT

Hi MK,

ok, maybe there is no method to work aroud this issue. I have try many ways try using ssh to read from the stdin ,but it seems that all the ways are failed.

So could you share with us , if you find a way to resolve this issue in the future?

I will also concern with this issue.

Re: ssh problem

yangk — Tue, 08 Dec 2009 02:17:56 GMT

Hi all,

I think I will open this issue for discuss.

Thanks for all of you discuss about is!

Re: ssh problem

Steven Schweda — Tue, 08 Dec 2009 04:22:08 GMT

> [...] I have try many ways [...]

Was "expect" in any of those (unspecified)
ways?

> I known that the expect script can reslove
> this problem of send the password to the
> ssh automatic.

What did that mean?