1SSHPASS(1) Sshpass User Manual SSHPASS(1)
2
6 sshpass - noninteractive ssh password provider
7
9 sshpass [-ffilename|-dnum|-ppassword|-e] [options] command arguments
10
12 This manual page documents the sshpass command.
13 sshpass is a utility designed for running ssh using the mode referred
15 to as "keyboard-interactive" password authentication, but in non-inter‐
16 active mode.
17 ssh uses direct TTY access to make sure that the password is indeed is‐
19 sued by an interactive keyboard user. Sshpass runs ssh in a dedicated
20 tty, fooling it into thinking it is getting the password from an inter‐
21 active user.
22 The command to run is specified after sshpass' own options. Typically
24 it will be "ssh" with arguments, but it can just as well be any other
25 command. The password prompt used by ssh is, however, currently hard‐
26 coded into sshpass.
27
29 If no option is given, sshpass reads the password from the standard in‐
30 put. The user may give at most one alternative source for the password:
31 -ppassword
33 The password is given on the command line. Please note the sec‐
34 tion titled "SECURITY CONSIDERATIONS".
35 -ffilename
37 The password is the first line of the file filename.
38 -dnumber
40 number is a file descriptor inherited by sshpass from the run‐
41 ner. The password is read from the open file descriptor.
42 -e The password is taken from the environment variable "SSHPASS".
44 -P Set the password prompt. Sshpass searched for this prompt in the
46 program's output to the TTY as an indication when to send the
47 password. By default sshpass looks for the string "assword:"
48 (which matches both "Password:" and "password:"). If your
49 client's prompt does not fall under either of these, you can
50 override the default with this option.
51 -v Be verbose. sshpass will output to stderr information that
53 should help debug cases where the connection hangs, seemingly
54 for no good reason.
55
57 First and foremost, users of sshpass should realize that ssh's insis‐
58 tance on only getting the password interactively is not without reason.
59 It is close to impossible to securely store the password, and users of
60 sshpass should consider whether ssh's public key authentication pro‐
61 vides the same end-user experience, while involving less hassle and be‐
62 ing more secure.
63 The -p option should be considered the least secure of all of sshpass's
65 options. All system users can see the password in the command line
66 with a simple "ps" command. Sshpass makes a minimal attempt to hide the
67 password, but such attempts are doomed to create race conditions with‐
68 out actually solving the problem. Users of sshpass are encouraged to
69 use one of the other password passing techniques, which are all more
70 secure.
71 In particular, people writing programs that are meant to communicate
73 the password programmatically are encouraged to use an anonymous pipe
74 and pass the pipe's reading end to sshpass using the -d option.
75
77 As with any other program, sshpass returns 0 on success. In case of
78 failure, the following return codes are used:
79 1 Invalid command line argument
81 2 Conflicting arguments given
83 3 General runtime error
85 4 Unrecognized response from ssh (parse error)
87 5 Invalid/incorrect password
89 6 Host public key is unknown. sshpass exits without confirming the
91 new key.
92 7 IP public key changed. sshpass exits without confirming the new
94 key.
95 In addition, ssh might be complaining about a man in the middle attack.
97 This complaint does not go to the tty. In other words, even with ssh‐
98 pass, the error message from ssh is printed to standard error. In such
99 a case ssh's return code is reported back. This is typically an unimag‐
100 inative (and non-informative) "255" for all error cases.
101
103 Run rsync over SSH using password authentication, passing the password
104 on the command line:
105 rsync --rsh='sshpass -p 12345 ssh -l test' host.example.com:path .
107 To do the same from a bourne shell script in a marginally less exposed
109 way:
110 SSHPASS=12345 rsync --rsh='sshpass -e ssh -l test' host.exam‐
112 ple.com:path .
113
115 Sshpass is in its infancy at the moment. As such, bugs are highly pos‐
116 sible. In particular, if the password is read from stdin (no password
117 option at all), it is possible that some of the input aimed to be
118 passed to ssh will be read by sshpass and lost.
119 Sshpass utilizes the pty(7) interface to control the TTY for ssh. This
121 interface, at least on Linux, has a misfeature where if no slave file
122 descriptors are open, the master pty returns EIO. This is the normal
123 behavior, except a slave pty may be born at any point by a program
124 opening /dev/tty. This makes it impossible to reliably wait for events
125 without consuming 100% of the CPU.
126 Over the various versions different approaches were attempted at solv‐
128 ing this problem. Any given version of sshpass is released with the
129 belief that it is working, but experience has shown that these things
130 do, occasionally, break. This happened with OpenSSH version 5.6. As of
131 this writing, it is believed that sshpass is, again, working properly.
132 It seems that HPUX has some non Posix compliant ideas how controlling
134 TTY is detached. sshpass may not work properly on that platform.
135Lingnu Open Source Consulting January 29, 2021 SSHPASS(1)