put password in script for ssh ... 1

[hokky]

Hi guys,

I need a favor here,

I need to ssh accross the other server, but I need to put password in it.

that server can't be passwordless because of the permission thing that I am not allowed to change.

So this is part of my script :

#!/bin/ksh

ssh dr01 "ls -l" <<EOF
password
EOF

but it doesnt work, any idea guys ?

Thanks very much before.

 

[PHV]

And what about man ssh ?

Hope This Helps, PH.
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884 or FAQ181-2886

 

[jstreich]

PHV - You can't supply a password to ssh on the command line. Why? Well, whatever is put on a commandline can be seen in a ps. What does that mean to you? If you do it on the commandline, everyone sees the password, and you may as well be telneting. The developers of ssh know that, and won't let you do it. man ssh won't help him.

hokky - Your attempt is still not ideal, but a step in the right direction. Here's the missing peice:

man expect

You can tell expect to run ssh, wait for a string that ends in "assword" (different versions of ssh/telnet/rsh use password or Password, so to avoid this, so I've gotten in the habit of using the amusing assword), and then "typing" to the program on stdin the password for the server your ssh-ing to, and then any host of other commands, and then exiting.

Keep in mind, this solution requires the script to be kept with read/execute permissions closely guarded so that the password can't be grabbed without gaining access to your account on the machine the script will be run.

[plug=shameless]

http://game-master.us/phpx-3.4.0/

[/plug]

 

[hokky]

Thanks jstreich,

But Could you provide me with the sample pls how to use expect ?

I read the man page but can't understand how to link it with ssh.

Thanks very much man

 

[hokky]

I was just wondering,

In my server I can see the expect installed, but I read from the website I should download and install from here :

http://expect.nist.gov/

So, is there any difference between what I have in server and what in website ?

Cheers,

 

[pmcmicha]

hokky,

The server can still have a password. If you use ssh-keygen, this should solve your problem. If for some reason you cannot do this, even though it is more secure than putting a password inside a script, see below for an expect example.

#!/usr/bin/expect
spawn telnet
expect "login: "
send "userid1\r"
expect "Password: "
send "userid1\r"
...

Just keeping expecting command line prompts and sending commands. Your version of expect is probably fine and will work if you decide to use it.

 

[PHV]

PHV - You can't supply a password to ssh on the command line
I know that, but my man pages clearly explains the public/private keys stuff ...

Hope This Helps, PH.
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884 or FAQ181-2886

 

[hokky]

Hi Guys,

Here's what I've tried :

#!/usr/bin/expect

spawn ssh ypprod02 "ls -l"
expect "Password: "
send "test\r"

I don't have to put the login because it's ssh so straight away using my login. let's say "test" is the password,
the result is :

[user@prod01 Script]$ ./new_test.ksh
spawn ssh prod02 ls -l
user@prod02's password: [user@ypprod01 Script]$

It didn't give me the list in prod02 server ?
why ?

Thanks very much guys

 

[SamBones]

Using [tt]expect[/tt] to provide a password for [tt]ssh[/tt] seems stupid to me. PHV gave the proper advice (although pretty terse and cryptic). You should look into setting up a shared key so you don't need to hard code your password in an [tt]expect[/tt] script. Google or search Tek-Tips for both "[tt]ssh[/tt]" and "[tt]ssh-keygen[/tt]". There are plenty of examples available.

 

[hokky]

I know how to use ssh-keygen, but for some reason I couldn't do it because the group permission for that home directory is set "w".

OK, if using PHV advice, I have tried this which he gave in other thread but it doesnt work either.

#!/bin/ksh
{
sleep 1
echo "password\r"     
sleep 1
echo "commands\r"       
sleep 1
echo "exit\r"        
sleep 5
}|ssh -l -t username ip.address

Anyone can help please,

just put password in the script and run ssh, that's all guys. Please...

 

[hokky]

This is the error I have :

Pseudo-terminal will not be allocated because stdin is not a terminal.

 

[PHV]

}|ssh -t -l username ip.address

Hope This Helps, PH.
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884 or FAQ181-2886

 

[hokky]

Still have same error as before PHV,

Any other idea guys ?

 

[mrn]

that server can't be passwordless because of the permission thing that I am not allowed to change.
[\quote]

Ever wonder why this restriction has been imposed?

Security?

and now you want to circumvent to make it less secure?

Why not do it properly and get keys set-up?

Mike

"Whenever I dwell for any length of time on my own shortcomings, they gradually begin to seem mild, harmless, rather engaging little things, not at all like the staring defects in other people's characters."

 

[mrn]

BTW congrats PHV on the tipmaster

Mike

"Whenever I dwell for any length of time on my own shortcomings, they gradually begin to seem mild, harmless, rather engaging little things, not at all like the staring defects in other people's characters."

 

[hokky]

sigh mrn,

Ever wonder why this restriction has been imposed?

Security?

and now you want to circumvent to make it less secure?

Why not do it properly and get keys set-up?

I know how to use ssh-keygen, but for some reason I couldn't do it because the group permission for that home directory is set "w".

lets say the user name mars, in the mars home directory the permission set up is "rwxrwx...", so If I create ssh key-gen, it won't work. because of the group permission thing.

And it's been setup like that because we need to give access to the group to be able to archive the file inside mars home directory.

Now, If some files doesn't arrive in prod server in mars home directory, I need to copy the data from DR server. so that's why I need ssh open to check the data between DR and PROD.

What I need ,just put password in script so I don't have to echo the password manually and then I want to schedule it everyday.

Come on guys, I know you're expert ... please help me...

PHV, Anni ?? where are you ??

pmcmicha,

your script doesn't work. can you help ?

 

[mrn]

In that case why not use rsync?

Mike

"Whenever I dwell for any length of time on my own shortcomings, they gradually begin to seem mild, harmless, rather engaging little things, not at all like the staring defects in other people's characters."

 

[columb]

It's a bit obtuse but I had to do a workaround where the user who wanted to do passwordless ssh/scp/sftp had to have group writable home directory permissions. Here's my answer

On server1 and server2 create a new user called txuser
Set keys so that txuser has passwordless access
Use sudo on each server so that txuser can perform the relevant actions

For example, as user1 on server1

sudo su - txuser -c "ssh txuser@server2 \"sudo su - user2 -c DoCommand\""

Ok, I'll admit it's convoluted and ugly, but it got round having passwords in plain text in script files (not allowed on my systems).

Ceci n'est pas une signature
Columb Healy

 

[pmcmicha]

lets say the user name mars, in the mars home directory the permission set up is "rwxrwx...", so If I create ssh key-gen, it won't work. because of the group permission thing.

And it's been setup like that because we need to give access to the group to be able to archive the file inside mars home directory.

Why not do this instead?
1) Remove the group write permissions from the home directory.
2) Create a new dropoff directory for these archives.
3) Create the ssh keys as per the man page.
4) Script can now connect in a secure manner, the base home directory cannot be violated.


As far as the example not working, it was only meant to serve as a guideline for how expect works. If you really want to use expect, check out the book from O'Reilly, but you have better options if you explore them properly.

 

[hokky]

pmcmicha,

the problem is all other system sending the file to that directory, so I can't change those because it's too many and I dont have access to do that.

columb,

I'll try yours