sshpass(1)

1SSHPASS(1)                    Sshpass User Manual                   SSHPASS(1)
2
3
4

NAME

6       sshpass - noninteractive ssh password provider
7

SYNOPSIS

9       sshpass [-ffilename|-dnum|-ppassword|-e] [options] command arguments
10

DESCRIPTION

12       This manual page documents the sshpass command.
13
14       sshpass  is  a utility designed for running ssh using the mode referred
15       to as "keyboard-interactive" password authentication, but in non-inter‐
16       active mode.
17
18       ssh  uses  direct  TTY  access to make sure that the password is indeed
19       issued by an interactive keyboard user. Sshpass runs ssh in a dedicated
20       tty, fooling it into thinking it is getting the password from an inter‐
21       active user.
22
23       The command to run is specified after sshpass' own  options.  Typically
24       it  will  be "ssh" with arguments, but it can just as well be any other
25       command. The password prompt used by ssh is, however,  currently  hard‐
26       coded into sshpass.
27

Options

29       If  no  option  is  given, sshpass reads the password from the standard
30       input. The user may give at most one alternative source for  the  pass‐
31       word:
32
33       -ppassword
34              The  password is given on the command line. Please note the sec‐
35              tion titled "SECURITY CONSIDERATIONS".
36
37       -ffilename
38              The password is the first line of the file filename.
39
40       -dnumber
41              number is a file descriptor inherited by sshpass from  the  run‐
42              ner. The password is read from the open file descriptor.
43
44       -e     The password is taken from the environment variable "SSHPASS".
45

SECURITY CONSIDERATIONS

47       First  and  foremost, users of sshpass should realize that ssh's insis‐
48       tance on only getting the password interactively is not without reason.
49       It  is close to impossible to securely store the password, and users of
50       sshpass should consider whether ssh's public  key  authentication  pro‐
51       vides  the  same  end-user  experience, while involving less hassle and
52       being more secure.
53
54       The -p option should be considered the least secure of all of sshpass's
55       options.   All  system  users  can see the password in the command line
56       with a simple "ps" command. Sshpass makes a minimal attempt to hide the
57       password,  but such attempts are doomed to create race conditions with‐
58       out actually solving the problem. Users of sshpass  are  encouraged  to
59       use  one  of  the other password passing techniques, which are all more
60       secure.
61
62       In particular, people writing programs that are  meant  to  communicate
63       the  password  programatically  are encouraged to use an anonymous pipe
64       and pass the pipe's reading end to sshpass using the -d option.
65

RETURN VALUES

67       As with any other program, sshpass returns 0 on  success.  In  case  of
68       failure, the following return codes are used:
69
70       1      Invalid command line argument
71
72       2      Conflicting arguments given
73
74       3      General runtime error
75
76       4      Unrecognized response from ssh (parse error)
77
78       5      Invalid/incorrect password
79
80       6      Host public key is unknown. sshpass exits without confirming the
81              new key.
82
83       In addition, ssh might be complaining about a man in the middle attack.
84       This  complaint  does not go to the tty. In other words, even with ssh‐
85       pass, the error message from ssh is printed to standard error. In  such
86       a case ssh's return code is reported back. This is typically an unimag‐
87       inative (and non-informative) "255" for all error cases.
88

EXAMPLES

90       Run rsync over SSH using password authentication, passing the  password
91       on the command line:
92
93       rsync --rsh='sshpass -p 12345 ssh -l test' host.example.com:path .
94
95       To  do the same from a bourne shell script in a marginally less exposed
96       way:
97
98       SSHPASS=12345  rsync  --rsh='sshpass  -e  ssh   -l   test'   host.exam‐
99       ple.com:path .
100

BUGS

102       Sshpass  is in its infancy at the moment. As such, bugs are highly pos‐
103       sible. In particular, if the password is read from stdin  (no  password
104       option  at  all),  it  is  possible  that some of the input aimed to be
105       passed to ssh will be read by sshpass and lost.
106
107       Sshpass utilizes the pty(7) interface to control the TTY for ssh.  This
108       interface,  at  least on Linux, has a misfeature where if no slave file
109       descriptors are open, the master pty returns EIO. This  is  the  normal
110       behavior,  except  a  slave  pty  may be born at any point by a program
111       opening /dev/tty. This makes it impossible to reliably wait for  events
112       without consuming 100% of the CPU.
113
114       Over  the various versions different approaches were attempted at solv‐
115       ing this problem.  Any given version of sshpass is  released  with  the
116       belief  that  it is working, but experience has shown that these things
117       do, occasionally, break. This happened with OpenSSH version 5.6.  As of
118       this writing, it is believed that sshpass is, again, working properly.
119
120
121
122Lingnu Open Source Consulting   August 6, 2011                      SSHPASS(1)