1SSHPASS(1)                    Sshpass User Manual                   SSHPASS(1)
2
3
4

NAME

6       sshpass - noninteractive ssh password provider
7

SYNOPSIS

9       sshpass [-ffilename|-dnum|-ppassword|-e] [options] command arguments
10

DESCRIPTION

12       This manual page documents the sshpass command.
13
14       sshpass  is  a utility designed for running ssh using the mode referred
15       to as "keyboard-interactive" password authentication, but in non-inter‐
16       active mode.
17
18       ssh  uses  direct  TTY  access to make sure that the password is indeed
19       issued by an interactive keyboard user. Sshpass runs ssh in a dedicated
20       tty, fooling it into thinking it is getting the password from an inter‐
21       active user.
22
23       The command to run is specified after sshpass' own  options.  Typically
24       it  will  be "ssh" with arguments, but it can just as well be any other
25       command. The password prompt used by ssh is, however,  currently  hard‐
26       coded into sshpass.
27

Options

29       If  no  option  is  given, sshpass reads the password from the standard
30       input. The user may give at most one alternative source for  the  pass‐
31       word:
32
33       -ppassword
34              The  password is given on the command line. Please note the sec‐
35              tion titled "SECURITY CONSIDERATIONS".
36
37       -ffilename
38              The password is the first line of the file filename.
39
40       -dnumber
41              number is a file descriptor inherited by sshpass from  the  run‐
42              ner. The password is read from the open file descriptor.
43
44       -e     The password is taken from the environment variable "SSHPASS".
45
46       -P     Set the password prompt. Sshpass searched for this prompt in the
47              program's output to the TTY as an indication when  to  send  the
48              password.  By  default  sshpass  looks for the string "assword:"
49              (which  matches  both  "Password:"  and  "password:").  If  your
50              client's  prompt  does  not  fall under either of these, you can
51              override the default with this option.
52
53       -v     Be verbose. sshpass  will  output  to  stderr  information  that
54              should  help  debug  cases where the connection hangs, seemingly
55              for no good reason.
56

SECURITY CONSIDERATIONS

58       First and foremost, users of sshpass should realize that  ssh's  insis‐
59       tance on only getting the password interactively is not without reason.
60       It is close to impossible to securely store the password, and users  of
61       sshpass  should  consider  whether ssh's public key authentication pro‐
62       vides the same end-user experience, while  involving  less  hassle  and
63       being more secure.
64
65       The -p option should be considered the least secure of all of sshpass's
66       options.  All system users can see the password  in  the  command  line
67       with a simple "ps" command. Sshpass makes a minimal attempt to hide the
68       password, but such attempts are doomed to create race conditions  with‐
69       out  actually  solving  the problem. Users of sshpass are encouraged to
70       use one of the other password passing techniques, which  are  all  more
71       secure.
72
73       In  particular,  people  writing programs that are meant to communicate
74       the password programatically are encouraged to use  an  anonymous  pipe
75       and pass the pipe's reading end to sshpass using the -d option.
76

RETURN VALUES

78       As  with  any  other  program, sshpass returns 0 on success. In case of
79       failure, the following return codes are used:
80
81       1      Invalid command line argument
82
83       2      Conflicting arguments given
84
85       3      General runtime error
86
87       4      Unrecognized response from ssh (parse error)
88
89       5      Invalid/incorrect password
90
91       6      Host public key is unknown. sshpass exits without confirming the
92              new key.
93
94       In addition, ssh might be complaining about a man in the middle attack.
95       This complaint does not go to the tty. In other words, even  with  ssh‐
96       pass,  the error message from ssh is printed to standard error. In such
97       a case ssh's return code is reported back. This is typically an unimag‐
98       inative (and non-informative) "255" for all error cases.
99

EXAMPLES

101       Run  rsync over SSH using password authentication, passing the password
102       on the command line:
103
104       rsync --rsh='sshpass -p 12345 ssh -l test' host.example.com:path .
105
106       To do the same from a bourne shell script in a marginally less  exposed
107       way:
108
109       SSHPASS=12345   rsync   --rsh='sshpass   -e  ssh  -l  test'  host.exam‐
110       ple.com:path .
111

BUGS

113       Sshpass is in its infancy at the moment. As such, bugs are highly  pos‐
114       sible.  In  particular, if the password is read from stdin (no password
115       option at all), it is possible that some  of  the  input  aimed  to  be
116       passed to ssh will be read by sshpass and lost.
117
118       Sshpass  utilizes the pty(7) interface to control the TTY for ssh. This
119       interface, at least on Linux, has a misfeature where if no  slave  file
120       descriptors  are  open,  the master pty returns EIO. This is the normal
121       behavior, except a slave pty may be born at  any  point  by  a  program
122       opening  /dev/tty. This makes it impossible to reliably wait for events
123       without consuming 100% of the CPU.
124
125       Over the various versions different approaches were attempted at  solv‐
126       ing  this  problem.   Any given version of sshpass is released with the
127       belief that it is working, but experience has shown that  these  things
128       do, occasionally, break. This happened with OpenSSH version 5.6.  As of
129       this writing, it is believed that sshpass is, again, working properly.
130
131
132
133Lingnu Open Source Consulting   April 25, 2015                      SSHPASS(1)
Impressum