# non-interactive ssh password authentication

## rpodgorny

Hi everybody,

this is what I need and was unable to manage:

I do know a ssh server name.

I do know a username.

I do know a password.

Is there a way to get rid of the annoying "password:" prompt when logging in? I didn't find any argument which shall be supposed to tell ssh client to send the password automaticaly. Something like "ssh host -l user -p pass" or "ssh user:pass@host".

I know the "authorized_keys" magic but it's not an option for me because I need a passwordless access from random computers. Setting null password on the server "user::1000:100: ..." didn't help... :-(

Any ideas?Last edited by rpodgorny on Mon May 12, 2003 1:58 am; edited 1 time in total

----------

## shadow255

 *czerteak wrote:*   

> Hi everybody,
> 
> this is what I need and was unable to manage:
> 
> I do know a ssh server name.
> ...

 

The only way to do this is by compromising your security or compromising the security of the ssh server.  If you control the ssh server, you can set up host-based authentication, which is strongly discouraged.  If you do that and the ssh server gets hacked, you were warned!

If you do not want to compromise the server, you can use key-based access if you can use portable storage media (e.g. a floppy disk, a ZIP disk, etc.) on the machines you need to connect from.  Create your keypair on your trusted (and hopefully secure) home system, put the generated public key on the server and put the private key on the floppy disk (or whatever).  Carry the disk with you and copy the key from it to the appropriate place on the system you're connecting from.  If you can't trust the sysadmin on that box, you'll need to remove the key each time you finish.  If you ever suspect that the key has been compromised, remove the public key from the server ASAP and generate a new keypair!

Read the manpage for ssh very carefully and pay attention to where files are supposed to be and what they are named.  I've never had a need to use key-based authentication, so I can't help much with that part.  Keep in mind that ssh is designed to be secure, and security often comes at the price of convenience.

By the way, setting a null password is a common way to make logins impossible for a user in the *nix world.

----------

## puggy

Extending what shadow255 said about keys. I'm assuming shadow255 is talking about creating a pair of keys with no passphrase. Instead create a pair of keys and use a passphrase. Then you can use something called keychain which basically prevents you from having to type in your passphrase for the key every time, by remembering. This remembering will last until they system is rebooted. or you kill the ssh-agent process running on your machine.

http://www.gentoo.org/proj/en/keychain.xml

Puggy

----------

## rpodgorny

Thanks a lot for your tips but unfortunately, it's still no solution for me... :-(

What exactly do I want:

I wan to set up a set of computers with passwordless ssh access to be used as a part of dvd::rip cluster. Unauthorized access would be filtered out by iptables (the whole 192.168.0.* network is "safe") but adding a special entry for every single computer would be very annoying (it's still over 200 machines with different users and their keys can change after reinstalls)... :-(

I think that extending ssh client to support automated password entering would be no security risk. That's why I'm so surprised it's not implemented. Don't you know about any "unofficial hack" to manage that?

Anyway. Why doesn't ssh support empty passwords? Or am I just so stupid so I cannot enable it?

Ssh seems to be a cute security thing but it's way too user-unfriendly to me. I hope I'll change my opinion soon... :-)

There has to be a way!

----------

## puggy

 *czerteak wrote:*   

> Thanks a lot for your tips but unfortunately, it's still no solution for me... 
> 
> What exactly do I want:
> 
> I wan to set up a set of computers with passwordless ssh access to be used as a part of dvd::rip cluster. Unauthorized access would be filtered out by iptables (the whole 192.168.0.* network is "safe") but adding a special entry for every single computer would be very annoying (it's still over 200 machines with different users and their keys can change after reinstalls)... 
> ...

 

err, I suggest you look again at keychain, it allows processes to hook into it as well as cron jobs and whatever. I think it is exactly what you are looking for.

Basically all that you require to do on the remote machine is cat the public part of your key pair you make into the .ssh/authorized_hosts file of the user your loogging in as on that machine.

Puggy

----------

## rpodgorny

As I'm reading my own posts, the sentences seem a bit awkward even to myself so I'll try to make it even more simple :-)

I need to set up a machine and give users some info (address, username, password) just ONCE.

The users are forced to use ssh (by dvd::rip) in non-interactive way.

----------

## puggy

Let me get this straight...

You want to use a load of machines to do processing for you on ripping DVDs?

You want to login to those machines without using a password?

You want multiple machines to be able to use the cluster to rip DVDs?

So basically what your saying is that dvd::rip uses ssh to connect to the machines its using as its processing power?

It is a huge security risk if you do not at least have some sort of password protection on the ssh servers your using as IPs can be easily faked for your IPtable protection. The keychain method would work for you as long as you simply carry your private key with you or keep it on a server somewhere for instant download to the machine your using. Of course, that local computer would have to have keychain installed (or ssh-agent at least).

The benefit of keychain is that you would never need to type a password for any machine your logging into as soon as you've put your key in the authorized_hosts file on that machine.

Multiple users can also be achieved by distributing either many public keys to the servers or by distributing your private key and passphrase.

I know of know way to be able to specify a single line ssh login including password as this is an effort to stop passwords being typed unmasked on the command line I expect.

I hope this helps.

Puggy

----------

## rpodgorny

Yeah, exactly...

I just want to install that machine and put a note on the local intranet:

"Hi everybody from my network. Everyone is free to use computer XYZ for transcoding movies. Your ssh access is limited to executing transcode only. The username is foo, password is bar. Just fill in the line in dvd::rip config with 'ssh XYZ -l foo -p bar' and be happy."

If there is a password or not isn't important. It's just about non-interactivity. And important note: 99% of the users are just dummies and they know s..t about ssh-agent and tools like that :-(

----------

## notkevin

 *czerteak wrote:*   

> 
> 
> Ssh seems to be a cute security thing but it's way too user-unfriendly to me. I hope I'll change my opinion soon... 
> 
> There has to be a way!

 

Well, the beauty of OSS is that you have the source and you can modify the program to do what ever you like!   :Very Happy: 

----------

## puggy

 *czerteak wrote:*   

> Yeah, exactly...
> 
> I just want to install that machine and put a note on the local intranet:
> 
> "Hi everybody from my network. Everyone is free to use computer XYZ for transcoding movies. Your ssh access is limited to executing transcode only. The username is foo, password is bar. Just fill in the line in dvd::rip config with 'ssh XYZ -l foo -p bar' and be happy."
> ...

 

I don't think ssh will do that, I think it has to prompt you. I think it would be easy enough to write a simple script to pass it the password when prompted though. I'll leave that up to you.  :Very Happy: 

Puggy

----------

## rpodgorny

 *notkevin wrote:*   

>  *czerteak wrote:*   
> 
> Ssh seems to be a cute security thing but it's way too user-unfriendly to me. I hope I'll change my opinion soon... :-)
> 
> There has to be a way! 
> ...

 

Oh, I know. A would do the changes myself but I doubt they'll get to upstream where I'd like to see it most... :-(

----------

## rpodgorny

 *puggy wrote:*   

>  *czerteak wrote:*   Yeah, exactly...
> 
> I just want to install that machine and put a note on the local intranet:
> 
> "Hi everybody from my network. Everyone is free to use computer XYZ for transcoding movies. Your ssh access is limited to executing transcode only. The username is foo, password is bar. Just fill in the line in dvd::rip config with 'ssh XYZ -l foo -p bar' and be happy."
> ...

 

If it's like that, I'm very sad... :-( I already tried to create a script but it's not straightforward enough (remember, the other users are dummies) and it wasn't working anyway. ssh checks whether it's executed in interactive shell or something like. Right now, I'm at scholl (windoze) so I can't tell you the exact error message but you can try yourself.

It's something like "echo "password" | ssh user@host".

----------

## dermot

Why not just write an expect script and distribute that to your users?

----------

## StuBear

 *czerteak wrote:*   

> I need to set up a machine and give users some info (address, username, password) just ONCE.
> 
> The users are forced to use ssh (by dvd::rip) in non-interactive way.

 

I think that you CAN use keychain for this. instead of having the users create the ssh keypairs - you do it and send the key and keychain starting script to the users. That way the only have to enter the ssh password once (when keychain starts) and then they can ssh to your machine as many times as they want until the machine they are on is rebooted or keychain is killed. THey can even log out and back in and ssh to your machine without having to enter the password again.

As keychain is only a 12k bash script, it can be easily dl from a server.

As suggested check out the gentoo page for keychain http://www.gentoo.org/proj/en/keychain.xml and also read the IBM developerWorks articles that drobbins wrote about the uses of keychain. They are lniked to in section 4 of the above page.

----------

## rpodgorny

 *StuBear wrote:*   

>  *czerteak wrote:*   I need to set up a machine and give users some info (address, username, password) just ONCE.
> 
> The users are forced to use ssh (by dvd::rip) in non-interactive way. 
> 
> I think that you CAN use keychain for this. instead of having the users create the ssh keypairs - you do it and send the key and keychain starting script to the users. That way the only have to enter the ssh password once (when keychain starts) and then they can ssh to your machine as many times as they want until the machine they are on is rebooted or keychain is killed. THey can even log out and back in and ssh to your machine without having to enter the password again.
> ...

 

OK, I'll take a deep look a it. But it still means they'll have to learn how to use keychain (not to mention the installation and stuff...) am I right?

----------

## rpodgorny

 *dermot wrote:*   

> Why not just write an expect script and distribute that to your users?

 

Ummm, maybe. The problem is that have absolutely no experience with expect. I don't know what is it capable of and what not... :-( Can you please give me some basic info?

----------

## TenPin

I use key based authentication on my heavily firewalled network (which is also inside a heavily firewalled uni network).

Here are the commands to setup key based authentication where local is the machine you are logging in from and remote is where local is logging in to.

```

local:

cd ~/.ssh

ssh-keygen -t rsa -f id_rsa

(don't enter a password to avoid ever typing one in)

remote:

cd ~/.ssh

touch authorized_keys

chmod 600 authorized_keys

cat id_rsa.pub >> authorized_keys

(where id_rsa.pub is copied from local:~/.ssh/id_rsa.pub)

```

I didn't have to change the global ssh configs for this to work on Gentoo.

----------

## StuBear

 *czerteak wrote:*   

> OK, I'll take a deep look a it. But it still means they'll have to learn how to use keychain (not to mention the installation and stuff...) am I right?

 

It's a bash script, so there is no need for installation, they can run it from their home dir. Also once it's setup (which you can do with a simple install script) all thay have to do is run it and type in their password - done.

----------

## rpodgorny

 *TenPin wrote:*   

> I use key based authentication on my heavily firewalled network (which is also inside a heavily firewalled uni network).
> 
> Here are the commands to setup key based authentication where local is the machine you are logging in from and remote is where local is logging in to.
> 
> ```
> ...

 

Thanks but I alreadyknow (and use) this method. Unfortunately, that's not what I need. I need a real public access without any key additions on my side for each host... :-(

----------

## notkevin

 *czerteak wrote:*   

> 
> 
> Oh, I know. A would do the changes myself but I doubt they'll get to upstream where I'd like to see it most... 

 

I have not looked at the source myself, but it seems that it would be something you could change on the server side. 

BTW: here is a link to the expect homepage, http://expect.nist.gov/ , I have written quite a few expect scripts, it is very flexable. But from your other posts I don't think it is something you want.

----------

