In this guide, we will learn what is sshpass utility, how to install sshpass in Linux and FreeBSD systems, and how to use sshpass for non-interactive SSH login in shell scripts in Linux and Unix.
Introduction
As a Linux system administrator, you may need to access remote machines and transfer files between them several times a day. One way to access a remote system is ssh. The two most commonly used SSH authentication methods are password-based method and key-based authentication method.
In password-based authentication method, the users have to manually enter the password each time while authenticating to a remote system. This method is bit tedious and also it is not suitable for automating tasks via scripts. Because, the user still have to manually enter the password every time. So if you want to implement password-based SSH authentication in scripts, you may want to try the sshpass commandline utility.
What is sshpass?
The sshpass utility is designed for running ssh using the keyboard-interactive password authentication mode, but in non-interactive way. To put this in simple terms - sshpass offers non-interactive way to authenticate a SSH session.
SSH uses direct TTY access to make sure that the password is indeed issued by an interactive keyboard user. Sshpass runs ssh in a dedicated tty, fooling it into thinking it is getting the password from an interactive user.
Install sshpass in Linux
The sshpass utility is available in the default repositories of many Linux distributions. For instance, you can use the following command to install sshpass in Arch Linux and its variants such as EndeavourOS, and Manjaro Linux:
$ sudo pacman -S sshpass
Install sshpass in Debian, Ubuntu and its derivatives:
$ sudo apt install sshpass
Install sshpass in Fedora, RHEL, CentOS, AlmaLinux and Rocky Linux:
$ sudo dnf install sshpass
Install sshpass in openSUSE:
$ sudo zypper install sshpass
To Install sshpass in FreeBSD, run the following commands root
user:
# cd /usr/ports/security/sshpass/ && make install clean
# pkg install sshpass
A word of caution: All of these methods are highly insecure. All system users can see the password in the commands by simply issuing the ps
command. It is NOT RECOMMENDED to use these methods in production. It is better to use key-based SSH authentication instead.
Use sshpass for Non-interactive SSH login
Let us a few examples to understand how we can use sshpass for non-interactive SSH login i.e. without typing the SSH password.
Example 1 - Log in to remote systems via ssh using sshpass
The sshpass can accept password as an argument, or read the password via an environment variable, or read the password from a text file.
Let us see examples for each method.
Provide Password as an argument
To provide password as an argument, use the -p
option like below.
$ sshpass -p <remote-password> ssh remoteuser@ip-address
Example:
$ sshpass -p almalinux ssh ostechnix@192.168.1.20
Here,
-p almalinux
- Provides the password (i.e ubuntu) for the remote system.ostechnix@192.168.1.20
- Remote username and IP address.
Sample output:
Last login: Tue Oct 11 12:33:20 2022 from 192.168.1.101 [ostechnix@Almalinux8CT ~]$
You can also execute commands on the remote system without actually logging in it as well.
$ sshpass -p almalinux ssh ostechnix@192.168.1.20 uname -a
Read the following guide to know more on how to run commands on a remote Linux system via SSH.
Provide Password as an Environment variable
In this method, we declare an environment variable called SSHPASS with the remote system's password as its value. This is little bit better than directly providing password as an argument.
First, use the export
command to save the password in an environment variable called SSHPASS
like below:
$ export SSHPASS=almalinux
And then we provide the password with -e
flag like below:
$ sshpass -e ssh ostechnix@192.168.1.20
You can also combine both commands and run them as a single command like below.
$ SSHPASS=almalinux sshpass -e ssh ostechnix@192.168.1.20
This method also exposes the password to the history file and all the users can view it using history
command. To protect users from viewing the password, simply clear the bash history.
Read Password from a text file
Append the password in a text file called mypassword.txt
with echo
command:
$ echo "almalinux" > mypassword.txt
Secure the password file using chmod
command:
$ chmod 0400 mypassword.txt
Now, pass the password file to sshpass with -f
flag like below:
$ sshpass -f mypassword.txt ssh ostechnix@192.168.1.20
Encrypt Password file using gpg
In the previous example, we saved the password in a plaintext file called "mysshpassword.txt
" and pass it using -f
flag. We can also encrypt the plaintext password file with gpg.
Append the password in a text file called mysshpassword
with echo
command:
$ echo "almalinux" > ~/.mysshpassword
Did you notice that I put a dot before mysshpassword? It means I've hidden the password file in my $HOME directory.
Encrypt the password file using gpg
command:
$ gpg -c ~/.mysshpassword
You will be asked to enter a passphrase in a new pop-up box. Type the passphrase twice and click OK to close the box.
Remove the plaintext password file:
$ rm ~/.mysshpassword
Now, you can run the commands on remote machine using the following command:
$ gpg -d -q ~/.mysshpassword.gpg | sshpass ssh ostechnix@192.168.1.20 uname -a
Please note that the above command will not ssh into the remote system. It only executes the "uname -a
" command in the remote system.
Example 2 - Transfer files using Rsync with sshpass
To transfer a file from the local system to a remote system using Rsync over SSH, run:
$ rsync ~/file.txt --rsh="sshpass -p almalinux ssh -l ostechnix" 192.168.1.20:/home/ostechnix/
You can also use the -e
option as shown in Example 1 section to transfer files in a marginally less exposed way.
$ export SSHPASS=almalinux
$ rsync ~/file.txt --rsh="sshpass -e ssh -l ostechnix" 192.168.1.20:/home/ostechnix/
Example 3 - Copy files using scp with sshpass
We can use sshpass along with scp
command to copy files between local and remote systems in non-interactive mode.
$ scp ~/file.txt --rsh="sshpass -p almalinux ssh -l ostechnix" 192.168.1.20:/home/ostechnix/
Example 4 - SSH Password automation with sshpass in shell scripts
In the previous sections, we discussed how to login to a remote via SSH in a non-interactive way using sshpass. Now let us see how to use sshpass to manage SSH connections in shell scripts.
Create a new script called diskusage_sript.sh
with the following contents in it.
#!/usr/bin/env bash #------------------------------------------------------- #Author: Ostechnix #Purpose: Report file system disk space usage of remote systems #------------------------------------------------------- SSHPASS=almalinux sshpass -e ssh ostechnix@192.168.1.20 'df -h'
Execute the script using command:
$ sh diskusage_sript.sh
Sample output:
Filesystem Size Used Avail Use% Mounted on /dev/loop0 20G 1.4G 18G 8% / none 492K 4.0K 488K 1% /dev udev 16G 0 16G 0% /dev/tty tmpfs 16G 0 16G 0% /dev/shm tmpfs 16G 8.6M 16G 1% /run tmpfs 3.1G 0 3.1G 0% /run/user/1000
if you don't want to put the password in plaintext script, you can simply encrypt the password file using gpg as shown in Example 1 section and replace the last line in the script with the following line.
gpg -d -q ~/.mysshpassword.gpg | sshpass ssh ostechnix@192.168.1.20 'df -h'
After modifying the line, the actual script should look like below:
#!/usr/bin/env bash #------------------------------------------------------- #Author: Ostechnix #Purpose: Report file system disk space usage of remote systems #------------------------------------------------------- gpg -d -q ~/.mysshpassword.gpg | sshpass ssh ostechnix@192.168.1.20 'df -h'
For more details on sshpass usage, refer the manual page.
$ man sshpass
Conclusion
In this guide, we learned what sshpass is, how to install sshpass in various Linux and FreeBSD systems, how to use sshpass for non-interactive SSH login, and finally how to perform SSH password automation in shell scripts with the help of sshpass utility in Linux and FreeBSD systems.
Please note that sshpass is not a replacement for SSH key-based authentication method. You can use sshpass wherever you need to implement password-based authentication in an non-interactive mode.
As I already warned, using sshpass in a shared system is NOT recommended. Because, the password is recorded in the shell's history and all system users can view by simply viewing the bash history file .
If you're the only one who uses the system, then it is not a big deal. You can use sshpass to implement automated password-based SSH authentication.
Reference: