SSH single sign-on is usually achieved with public key authentication and an authentication agent. You could easily add your test VM key to an existing auth agent (see example below). Other methods such as gssapi/kerberos exist but are more complex.

In situations where password is the only authentication method available, sshpass can be used to automatically enter the password. Please pay particular attention to the SECURITY CONSIDERATIONS section of the man page. In all three options, the password is visible or stored in plaintext at some point:

Anonymous pipe (recommended by sshpass)

# Create a pipe
PIPE=$(mktemp -u)
mkfifo -m 600 $PIPE
# Attach it to file descriptior 3
exec 3<>$PIPE
# Delete the directory entry
rm $PIPE
# Write your password in the pipe
 echo 'my_secret_password' >&3
# Connect with sshpass -d
sshpass -d3 ssh [email protected]

# Close the pipe when done
exec 3>&-

It is quite cumbersome in bash, arguably easier with programming languages. Another process could attach to your pipe/fd before the password is written. The window of opportunity is quite short and limited to your processes or root.

Environment variable

# Set your password in an environment variable
 export SSHPASS='my_secret_password'
# Connect with sshpass -e
sshpass -e ssh [email protected]

You and root can read your process’ environment variables (i.e. your password) while sshpass is running (cat /proc/<pid>/environ | tr '' 'n' | grep ^SSHPASS=). The window of opportunity is much longer but still limited to your own processes or root, not other users.

Command-line argument (least secure)

 sshpass -p my_secret_password ssh [email protected]

This is convenient but less secure as described in the man page. Command line arguments are visible to all users (e.g. ps -ef | grep sshpass). sshpass attempts to hide the argument, but there is still a window during which all users can see your password passed by argument.

Side note

Set your bash HISTCONTROL variable to ignorespace or ignoreboth and prefix your sensitive commands with a space. They won’t be saved in history.


SSH public key authentication

# Generate a key pair
# Do NOT leave the passphrase empty
ssh-keygen
# Copy it to the remote host (added to .ssh/authorized_keys)
ssh-copy-id [email protected]

The passphrase is very important. Anyone somehow obtaining the private key file won’t be able to use it without the passphrase.

Setup the SSH authentication agent

# Start the agent
eval `ssh-agent`
# Add the identity (private key) to the agent
ssh-add /path/to/private-key
# Enter key passphrase (one time only, while the agent is running)

Connect as usual

ssh [email protected]

The advantage is that your private key is encrypted and you only need to enter its passphrase once (via a safer input method too).

Leave a Reply

Your email address will not be published. Required fields are marked *