1SSHPASS(1)                    Sshpass User Manual                   SSHPASS(1)
2
3
4

NAME

6       sshpass - noninteractive ssh password provider
7

SYNOPSIS

9       sshpass [-ffilename|-dnum|-ppassword|-e] [options] command arguments
10

DESCRIPTION

12       This manual page documents the sshpass command.
13
14       sshpass  is  a utility designed for running ssh using the mode referred
15       to as "keyboard-interactive" password authentication, but in non-inter‐
16       active mode.
17
18       ssh uses direct TTY access to make sure that the password is indeed is‐
19       sued by an interactive keyboard user. Sshpass runs ssh in  a  dedicated
20       tty, fooling it into thinking it is getting the password from an inter‐
21       active user.
22
23       The command to run is specified after sshpass' own  options.  Typically
24       it  will  be "ssh" with arguments, but it can just as well be any other
25       command. The password prompt used by ssh is, however,  currently  hard‐
26       coded into sshpass.
27

Options

29       If no option is given, sshpass reads the password from the standard in‐
30       put. The user may give at most one alternative source for the password:
31
32       -ppassword
33              The password is given on the command line. Please note the  sec‐
34              tion titled "SECURITY CONSIDERATIONS".
35
36       -ffilename
37              The password is the first line of the file filename.
38
39       -dnumber
40              number  is  a file descriptor inherited by sshpass from the run‐
41              ner. The password is read from the open file descriptor.
42
43       -e     The password is taken from the environment variable "SSHPASS".
44
45       -P     Set the password prompt. Sshpass searched for this prompt in the
46              program's  output  to  the TTY as an indication when to send the
47              password. By default sshpass looks  for  the  string  "assword:"
48              (which  matches  both  "Password:"  and  "password:").  If  your
49              client's prompt does not fall under either  of  these,  you  can
50              override the default with this option.
51
52       -v     Be  verbose.  sshpass  will  output  to  stderr information that
53              should help debug cases where the  connection  hangs,  seemingly
54              for no good reason.
55

SECURITY CONSIDERATIONS

57       First  and  foremost, users of sshpass should realize that ssh's insis‐
58       tance on only getting the password interactively is not without reason.
59       It  is close to impossible to securely store the password, and users of
60       sshpass should consider whether ssh's public  key  authentication  pro‐
61       vides the same end-user experience, while involving less hassle and be‐
62       ing more secure.
63
64       The -p option should be considered the least secure of all of sshpass's
65       options.   All  system  users  can see the password in the command line
66       with a simple "ps" command. Sshpass makes a minimal attempt to hide the
67       password,  but such attempts are doomed to create race conditions with‐
68       out actually solving the problem. Users of sshpass  are  encouraged  to
69       use  one  of  the other password passing techniques, which are all more
70       secure.
71
72       In particular, people writing programs that are  meant  to  communicate
73       the  password  programmatically are encouraged to use an anonymous pipe
74       and pass the pipe's reading end to sshpass using the -d option.
75

RETURN VALUES

77       As with any other program, sshpass returns 0 on  success.  In  case  of
78       failure, the following return codes are used:
79
80       1      Invalid command line argument
81
82       2      Conflicting arguments given
83
84       3      General runtime error
85
86       4      Unrecognized response from ssh (parse error)
87
88       5      Invalid/incorrect password
89
90       6      Host public key is unknown. sshpass exits without confirming the
91              new key.
92
93       7      IP public key changed. sshpass exits without confirming the  new
94              key.
95
96       In addition, ssh might be complaining about a man in the middle attack.
97       This complaint does not go to the tty. In other words, even  with  ssh‐
98       pass,  the error message from ssh is printed to standard error. In such
99       a case ssh's return code is reported back. This is typically an unimag‐
100       inative (and non-informative) "255" for all error cases.
101

EXAMPLES

103       Run  rsync over SSH using password authentication, passing the password
104       on the command line:
105
106       rsync --rsh='sshpass -p 12345 ssh -l test' host.example.com:path .
107
108       To do the same from a bourne shell script in a marginally less  exposed
109       way:
110
111       SSHPASS=12345   rsync   --rsh='sshpass   -e  ssh  -l  test'  host.exam‐
112       ple.com:path .
113

BUGS

115       Sshpass is in its infancy at the moment. As such, bugs are highly  pos‐
116       sible.  In  particular, if the password is read from stdin (no password
117       option at all), it is possible that some  of  the  input  aimed  to  be
118       passed to ssh will be read by sshpass and lost.
119
120       Sshpass  utilizes the pty(7) interface to control the TTY for ssh. This
121       interface, at least on Linux, has a misfeature where if no  slave  file
122       descriptors  are  open,  the master pty returns EIO. This is the normal
123       behavior, except a slave pty may be born at  any  point  by  a  program
124       opening  /dev/tty. This makes it impossible to reliably wait for events
125       without consuming 100% of the CPU.
126
127       Over the various versions different approaches were attempted at  solv‐
128       ing  this  problem.   Any given version of sshpass is released with the
129       belief that it is working, but experience has shown that  these  things
130       do, occasionally, break. This happened with OpenSSH version 5.6.  As of
131       this writing, it is believed that sshpass is, again, working properly.
132
133       It seems that HPUX has some non Posix compliant ideas  how  controlling
134       TTY is detached. sshpass may not work properly on that platform.
135
136
137
138Lingnu Open Source Consulting  January 29, 2021                     SSHPASS(1)
Impressum