Sometimes theres a need to use ssh with the password as a command line parameter, I know keys do exist and may be used for a “passwordless” login, I know you may use expect to create a script to type the password for you. But if you just want a plain simple tool to do it you may use plink.
Usually plink isn’t available in the distro (at least with SuSE and Fedora) so you may need to download it’s source and compile it.
Get it from http://the.earth.li/~sgtatham/putty/latest/putty-0.60.tar.gz
Untar it with: tar -zxvf
Sometimes theres a need to use ssh with the password as a command line parameter, I know keys do exist and may be used for a “passwordless” login, I know you may use expect to create a script to type the password for you. But if you just want a plain simple tool to do it you may use plink.
Usually plink isn’t available in the distro (at least with SuSE and Fedora) so you may need to download it’s source and compile it.
Get it from http://the.earth.li/~sgtatham/putty/latest/putty-0.60.tar.gz and follow the commands:
tar -zxvf putty-0.60.tar.gz
cd putty-0.60/unix
./configure ; make ; sudo make install
and your done compiling.
Now lets talk about using plink, you may use plink as a regular ssh client, something like; plink pedro@192.168.1.1 and it will behave as your regular ssh client. Now try plink user@server -pw your_password and “voilá” you logged in. For safety issues type “history -c” (this will cleanup your history).
If you want, and this is the main use of plink, automate and ssh script to run in batch mode as for instance in a cron script your may use something like (lets suppose you have a text file called login_data.txt, with 2 entrances by line separated by spaces, the first entrance will be the host and the second the password) and you want to login with root and execute the command poweroff:
#!/bin/bash
cat login_data.txt | while read LINE ; do
CLEANED=`echo $LINE | tr -s ” ” LINE ; # this will clean the extra spaces
HOST=`echo $CLEANED | cut -d ” ” -f 1`; this will extract the host
PASSWD=`echo $CLEANED| cut -d ” ” -f 2`; this will extract the passwd
plink root@$HOST -pw $PASSWD shutdown ;
done
Just be very careful with permissions on files that have clear text passwords, ideally they shouldn’t exist but sometimes every sysadmin as such needs.
If you want you may check further info on plink on putty web site or by just typing plink on the command line.
The above scrip only works if you had already logged in at least one time (you still need to accept the ssh server key) if you totally want to automate it you may use expect (I’m hopping to write about it sometime soon).
Cheers and see you next time
Please don’t encourage people to put passwords on the command line! I have a difficult enough time in my shell scripting classes trying to help students “unlearn” bad habits that having someone purposefully promote a Bad Idea(tm) just makes my job that much more difficult and our beloved Linux systems that much less secure.
As with drugs, just don’t do it!
Please note: la can report the full command line of other users’ processes…
And Linux la a multiuser O.S. (even when you are the only one that uses that Computer
A better way is put into your .ssh/authorized_keys file your client ssl key and you can access to that host without enter any password. more secure too.
Take care
A much better way is to use publickeys, they aren’t hard to set up and are way more secure than what you describe above! Plus, you will not be introducing any dangerous variables into a script.
@Gian Uberto Lauri:
plink strips off the argument after the -pw option so the password isn’t visible is ps or tools like it.
This post is controversial indeed.
The main reason to post was about an alternative way to do login. In the post I wrote about the security issues, but the main objective is to show people that there are different ways to do things. If you know it is unsafe you should take the measures to minimize it.
All the post out there talk about creating keys to automate the process but is it safer? Well if you don’t protect your key with a password it’s a plain text file that people can use if they have access to it, just like a clear passwd file, will you gain anything having a key to login, if you don’t protect it, in simple words no. If you you have a password on your ssh key file then you can’t create scripts and automations.
Old admin said “In my shell scripting classes trying to help students “unlearn” bad habits that having someone purposefully promote a Bad Idea(tm) just makes my job that much more difficult and our beloved Linux systems that much less secure”, I’ve a different approach on my classes, I don’t teach tech dogmas, I show different tools (safe, unsafe, whatever), teach the basis of security, and then the students will grow their knowledge on their own experiences, it’s an harder way but it will create an open mind about the systems they are managing… after all we don’t want a next next next sysadmin.
I fail to see any benefit from using this app.
SSH keys are the way to go for any sort of passwordless logins. Been using them for at least 6 years now…
If you want more security, you should protect your priv key with a pass phrase and use keychain, you still will have to enter your pass phrase once you bounce your system.
I see one great use for this… stuffing ssh-tunneled, cron-based commands to a Cisco router (that is not capable of key storage) from a Linux box… Just put the command in a script, chmod to 700, and call it from cron. Not perfect, not 100% secure, but better than nothing.
🙂
“I’ve a different approach on my classes, I don’t teach tech dogmas, […]”
@Pedro: I appreciate what you’re saying. But industry-wide “best practices” are dogma for a reason!
Look, if the goal is automate something that normally requires interactive input, it will always have a vulnerability. The goal is to limit the exposure in those situations. Using a keypair removes much of the vulnerability as only the root user will have access to the private half of the key.
Now consider what happens when a shell script contains a hard-coded password in it, be in a cron job or something else. While the plink command may remove the command line parameters via some subterfuge (modifying the argv parameter to main()), there is still a window of opportunity after the exec() has started loading plink and before main() begins execution where the password is on the command line. And this password can be seen by any user on the system with access to ps(1) which is most of them. And I’m assuming that the script has permissions of 500.
So comparing the two approaches, which is more vulnerable?
I understand your goal of exposing users to a wide variety of solutions as a means of teaching Good vs. Evil, but the presentation of the blog article makes Evil too tempting, especially when Good is so much better. 😉
For all the guy following this thread, and specially for those that didn’t like the approach of having passwords on command line (I don’t like that either, but sometimes it’s useful, as Jeremy said and gave some good examples), so I wrote a new post how to use secure keys to authenticate, and then how to keep them easy to use with ssh-agent.
Cheers
Pedro Oliveira
Thanks for the new post.
Now, I’m not one to flog a dead horse, but just to point out interesting aspects of the matter, there’s some more to say about keys vs. automatic password entry. First, keys can be password-protected as well, to protect against unauthorized users of authorized hosts.
Also, you can have several keys, for example: an passwordless key that automatically performs a simple non-destructive task, and a password-protected key that allows interatcitve login. The most important thing, though, is that when using keys exclusively, remote password login can be disabled altogether, thereby making the choice of password completely irrelevant. This also restricts remote login to authorized hosts (which may or may not be what you want).
By the way, there is a typo in the post… you have the download location for putty in the place where the plink location should be.
😉
Whoops, I see now…. it’s that you pasted the same (or similar) two paragraphs in the post twice… That was confusing me…
It’s because you download plink from the putty site 🙂
I’m Portuguese and my native tongue isn’t English, I’ll polish it in the next few posts.
Thanks for the info anyway 🙂
CLEANED=`echo $LINE | tr -s ” ” LINE `; # this will clean the extra spaces
you missed a ” ` ” in this line, mate