Never Ending Security

It starts all here

sshpass – Non-interactive ssh password authentication

SSH’s (secure shell) most common authentication mode is called “interactive keyboard password authentication”, so called both because it is typically done via keyboard, and because openssh takes active measures to make sure that the password is, indeed, typed interactively by the keyboard. Sometimes, however, it is necessary to fool ssh into accepting an interactive password non-interactively. This is where sshpass comes in.

SECURITY NOTE: There is a reason openssh insists that passwords be typed interactively. Passwords are harder to store securely and to pass around securely between programs. If you

Install sshpass in debian

#aptitude install sshpass

This will complete the installation

Using sshpass


sshpass [options] command arguments


If not option is given, sshpass reads the password from the standard input. The user may give at most one alternative source for the password:

-p password – The password is given on the command line. Please note the section titled “SECURITY CONSIDERATIONS”.

-f filename — The password is the first line of the file filename.

-d number — number is a file descriptor inherited by sshpass from the runner. The password is read from the open file descriptor.

-e — The password is taken from the environment variable “SSHPASS”.

Security Considerations

First and foremost, users of sshpass should realize that ssh’s insistance on only getting the password interactively is not without reason. It is close to impossible to securely store the password, and users of sshpass should consider whether ssh’s public key authentication provides the same end-user experience, while involving less hassle and being more secure.

The -p option should be considered the least secure of all of sshpass’s options. All system users can see the password in the command line with a simple “ps” command. Sshpass makes no attempt to hide the password, as such attempts create race conditions without actually solving the problem. Users of sshpass are encouraged to use one of the other password passing techniques, which are all more secure.

In particular, people writing programs that are meant to communicate the password programatically are encouraged to use an anonymous pipe and pass the pipe’s reading end to sshpass using the -d option.

sshpass Examples

1) Run rsync over SSH using password authentication, passing the password on the command line:

rsync –rsh=’sshpass -p 12345 ssh -l test’

2)sshpass -p [yourpassword] ssh [yourusername]@[host]


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s