For those of us who use the SSH, that is, those of us who need to access remote computers or servers constantly in our day to day, get to the point of getting fed up with typing passwords, it would be:
- Key in a terminal: ssh user @ server
- Wait a few seconds
- The server where we want to connect will ask for the password
- Once we put the password and press [Enter] then we will access the remote server
And now my question, isn't it simpler to just type ?:
sshpass -p «PASSWORD» ssh root@servidor
For example, suppose the user is root, the server is: Dev.desdelinux.net and the password is xunil ... then the line would be:
sshpass -p xunil ssh root@dev.desdelinux.net
To achieve this we simply have to install the package sshpass, riding a Debian / Ubuntu or derivatives would be with sudo apt-get install sshpass Meanwhile in ArchLinux or derivatives would suffice with sudo pacman -S sshpass
If we want to specify the port (because SSH is not on port 22) we add -p «PORT» ... that is, assuming it is port 9122:
sshpass -p xunil ssh root@dev.desdelinux.net -p 9122
To simplify all this even more we can create aliasesFor example, when executing server1, the entire line is executed to connect by SSH to server1 (sshpass -p password user @ server1) or something similar, so we also save putting a too long line 😉
Anyway, I hope this has been useful to you.
By the way, another way to avoid having to write the password when we access by SSH is by using public and private keys.
regards
My apologies but this is a terrible security aberration !! You have the password stuck in scripts, plain text files, bash history, etc.
For that, openssh supports public key authentication using RSA.
Thanks to this type of practice (implemented by subjects who call themselves "administrators") there is so much computer insecurity.
Greetings.
Let's see. Yes, it is a security problem but it does not mean that "subjects" who are administrators or not have to use this method. The method exists and is shown in case it needs to be used in an environment where security is not an issue. In the store they sell you the knife, you decide if you use it to cut vegetables or kill someone.
I understand your position, but I am sorry that in a blog of such renown they promote this type of practice, it is almost like an "apology for the terrible system administration" hehe.
A hug!
I still don't understand what the problem is 🙁
As we have spoken of "how to obtain more security" in various aspects, we can also speak of other "less secure" topics. Our goal is to offer the information, it is up to you to know what to do with it. In addition, the author of the most paranoid post with security cannot be, believe me, when it comes to System Administration, it does not do this kind of thing.
Greetings 😉
First, when I said 'implemented by subjects who call themselves "administrators"', I did not refer at any time to the author of the article, I do not understand why they are so susceptible.
The problem, from my point of view, is that this tool goes against all good security practice. I believe that from the GNU / Linux community we must keep our precious operating system as secure as possible. I mean, I wouldn't want to see GNU / Linux turned into Windows (security wise).
Unfortunately there are many novice administrators who do not know the correct way to do things, and end up using these tools on critical systems.
Of course you have the right to publish whatever you want, but I repeat, it saddens me that this blog (one of the most important Spanish-speaking blogs) gives way to tools that threaten security.
Regards!!
And give Juana with the basin. Precisely, because it is a reference blog, we like to provide all kinds of information. I understand this:
A user arrives and asks: How can I connect to a server via SSH without asking for the password?
They answer him in any forum: Noooo, that's a security problem, nobody does that.
Even knowing, the user does not tell him why it is a security problem. Bad, very bad, it's good that you know how to do things, that's why in Desdelinux:
A user arrives and asks: How can I connect to a server via SSH without asking for the password?
We write a post and say: You can use this method, it works this way but it IS NOT SAFE. The safest thing is to use this other one.
Which one do you think is better?
Okay, I respect your posture. Best regards!!
SSHPass does not actually threaten security, the person who threatens security in any case is the user who misuses it.
For example, here is an excellent example that SSHPass is not only used for what I comment in the post, it can be used for (for example) OpenSSH-Server cracking: http://paste.desdelinux.net/4810
The application is nothing more than that, an application, the use that is given to it is what will cause failures that compromise security or not.
Regarding nervous or susceptible, not at all, maybe it was the way you said it (or that reading makes it difficult to understand correctly) but I interpreted that the comment was directed at me, if it was not, I apologize.
PS: Surely there will be several who will find the script that I put interesting and even funny LOL!
Ok, I'm glad we reached an agreement. Cheers!!
Did I ever say that this method is more secure than using public and private keys?
In another article I already shared how to use them [1], now I simply explain another way to achieve the same or something similar.
Everyone uses the one that suits them best, the one they prefer. Here I simply explained one of the uses that can be given to sshpass, another could be through a Bash script to cracking SSH through the use of a dictionary ... but come on, this is just another use.
I repeat, I only share my knowledge related to GNU / Linux. SSHPass may not be the ideal choice for any case, but it has utility, do not hesitate.
BTW, referring to: (implemented by subjects who call themselves "administrators") ... heh ... heh ... heh ... I prefer not to comment, I have nothing to prove to anyone, not to mention that your friend of mine, you don't have the most remote idea of who I am, much less than what I know 😉
[1] https://blog.desdelinux.net/ssh-sin-password-solo-3-pasos/
Do not be nervous, it happens that in my field I know people who base their work on Google and when solving problems they copy & paste this type of thing. Then the security administrator is the one who "puts the wheels in the wheel" when he detects such anomalies. Cheers!!
Relax man, it's not worth it 😉
Sure, but then the password is registered in the commands used. For security reasons, this should not be done ...
That is what I was thinking when reading the post
Adding this to our .bashrc would not save the sshpass related commands:
HISTIGNORE='sshpass *'I'll be doing a post on how to ignore commands so they don't get saved to bash history shortly :)
Another way for commands not to be saved is to always put a space before the command. ^ __ ^
I think it is safer to use keys to connect via SSH without having to enter the password.
On the other hand, creating a full command alias where the password is saved can be a security issue.
If it seems to me a flaw in computer security, but we are going to make sure that they are not saved in the bash history is not so much the problem that we do (except for an alias that would be garrafal), also as elav says in the store sell us the knife we are the ones who will see what to use it
Interesting, but I better use the public and private key that you showed in another entry.
@KZKG
I think it is more practical - and safe! - use RSA / ECDSA keys together with a keychain (SSH agent) for automatic authentication.
In my case, I use an SSH keychain to Keychain, developed by the folks at Funtoo, which works very well, uses very few resources and is very secure:
http://www.funtoo.org/Keychain
Example:
j:0 ~ > AliasSearch ssh
# SSH management
alias SSHCOPYIDecdsa='ssh-copy-id -i ~/.ssh/id_ecdsa.pub'
alias SSHCOPYIDrsa='ssh-copy-id -i ~/.ssh/id_rsa.pub'
alias SSHKEYGENecdsa='ssh-keygen -t ecdsa -b 521 -C "$(whoami)@$(hostname)-$(date -I)"'
alias SSHKEYGENrsa='ssh-keygen -t rsa -b 4096 -C "$(whoami)@$(hostname)-$(date -I)"'
Instructions for use:
SSHKEYGEN {ecdsa, rsa}
SSHCOPYID {ecdsa, rsa} user @ {server, ip}
# SSH servers
alias SERVER1mosh='eval $(keychain --eval --agents ssh -Q --quiet id_ecdsa) && mosh -p # usr1@server1'
alias SERVER1='eval $(keychain --eval --agents ssh -Q --quiet id_ecdsa) && ssh -v -p # usr1@server1.local'
alias SERVER101='eval $(keychain --eval --agents ssh -Q --quiet id_ecdsa) && ssh -v -p # usr1@[direc. ip].101'
Where:
-p #: port
usr1 @ server1: user @ AVAHI server
usr1@server1.local: user @ AVAHI server (depending on how the server is configured in some systems it is necessary to add the suffix .local)
usr1 @ [addr. ip] .101: fixed ip address.
/ etc / ssh / sshd_config: http://paste.chakra-project.org/4974/
~ / .ssh / config: http://paste.chakra-project.org/4975/
OS: Arch Linux/Chakra
I hope it serves you, greetings!
In fact I use keys, not SSHPass to access my servers ... I discovered SSHPass when I needed a way to do this script: http://paste.desdelinux.net/4810
But ... well, I wanted to share SSHPass with everyone, but obviously I couldn't put here a script that allows using a dictionary to try to violate OpenSSH-Server HAHAHA!
"[…] I couldn't put here a script that allows using a dictionary to try to violate OpenSSH-Server HAHAHA!"
But why not!!?
Isn't hacking & cracking part of learning good security practices [0] !?
Please man, go ahead !!!
[0] Isn't it beautiful to use words to mean the exact opposite of what they literally mean !? Hack the linguistics !!! ;-D
Hi, I get this error:
It is testing passwords to 192.168.20.11 on port 22 with the root user
cat: con-letters.txt: No such file or directory
the file with letters.txt I create them?
regards
This is not done, since the password is stored in bash_history as plain text, apart from that it could be found out in another way. So that ssh does not ask you for a password, the correct way is with "public and private keys".
I use RSA to connect to my servers remotely, even so I think that to connect to some computer where we do not require such strong security is a good tool, thanks for the tip!
Chiuuuu
And why better not publish my password so that it is available to anyone?
Excellent that good !!!!!! and in Spanish.
Excellent article, as always people complain instead of thanking, although the method is insecure it depends on where and how you use it, thank you very much 🙂