SSH single sign-on is usually achieved with public key authentication and an authentication agent. You could easily add your test VM key to an existing auth agent (see example below). Other methods such as gssapi/kerberos exist but are more complex.
In situations where
password is the only authentication method available, sshpass can be used to automatically enter the password. Please pay particular attention to the SECURITY CONSIDERATIONS section of the man page. In all three options, the password is visible or stored in plaintext at some point:
Anonymous pipe (recommended by sshpass)
# Create a pipe PIPE=$(mktemp -u) mkfifo -m 600 $PIPE # Attach it to file descriptior 3 exec 3<>$PIPE # Delete the directory entry rm $PIPE # Write your password in the pipe echo 'my_secret_password' >&3 # Connect with sshpass -d sshpass -d3 ssh [email protected] # Close the pipe when done exec 3>&-
It is quite cumbersome in bash, arguably easier with programming languages. Another process could attach to your pipe/fd before the password is written. The window of opportunity is quite short and limited to your processes or root.
# Set your password in an environment variable export SSHPASS='my_secret_password' # Connect with sshpass -e sshpass -e ssh [email protected]
You and root can read your process’ environment variables (i.e. your password) while sshpass is running (
cat /proc/<pid>/environ | tr ' ' 'n' | grep ^SSHPASS=). The window of opportunity is much longer but still limited to your own processes or root, not other users.
Command-line argument (least secure)
sshpass -p my_secret_password ssh [email protected]
This is convenient but less secure as described in the man page. Command line arguments are visible to all users (e.g.
ps -ef | grep sshpass). sshpass attempts to hide the argument, but there is still a window during which all users can see your password passed by argument.
Set your bash HISTCONTROL variable to
ignoreboth and prefix your sensitive commands with a space. They won’t be saved in history.
SSH public key authentication
# Generate a key pair # Do NOT leave the passphrase empty ssh-keygen # Copy it to the remote host (added to .ssh/authorized_keys) ssh-copy-id [email protected]
The passphrase is very important. Anyone somehow obtaining the private key file won’t be able to use it without the passphrase.
Setup the SSH authentication agent
# Start the agent eval `ssh-agent` # Add the identity (private key) to the agent ssh-add /path/to/private-key # Enter key passphrase (one time only, while the agent is running)
Connect as usual
The advantage is that your private key is encrypted and you only need to enter its passphrase once (via a safer input method too).