749

How to automate SSH login with password? I'm configuring my test VM, so heavy security is not considered. SSH chosen for acceptable security with minimal configuration.

ex)

echo password | ssh id@server

This doesn't work.

I remember I did this with some tricks somebody guided me, but I can't remember now the trick I used...

Eonil
  • 10,649
  • 2
    FreeBSD did not accept password-less keys. Don't be tempted. However some Linux servers accepted it. I believe the Linux server was misconfigured. – Eonil Mar 01 '11 at 14:32
  • 44
    This is a valid question. For example, I want to allow a user to enter a password, then login in to another machine using it. I can't assume that there will be ssh keys distributed across all our machines. The answers below so far do not help this situation. – dfrankow Apr 12 '12 at 16:30
  • http://unix.stackexchange.com/questions/38737/ssh-login-with-clear-text-password-as-a-parameter || http://unix.stackexchange.com/questions/38737/ssh-login-with-clear-text-password-as-a-parameter || http://stackoverflow.com/questions/233217/pass-password-to-su-sudo-ssh – Ciro Santilli OurBigBook.com Nov 30 '15 at 21:24
  • 1
    Very important question. I need an answer too, my webspace provider blocks to put keyfiles on the server, so I must pass the passwort without keyfiles. – Radon8472 Jul 11 '18 at 13:45
  • 1
    Here is a purely bash answer,

    --- file starts --- #!/bin/bash [[ $1 =~ password: ]] && cat || SSH_ASKPASS="$0" DISPLAY=nothing:0 exec setsid "$@"

    --- file ends--- Save it as pass, do a chmod +x pass and then use it like this:

    $ echo mypass | ./pass ssh user@host

     – Shankara Narayana Sep 14 '20 at 00:09
  • See also: StackOverflow: Pass a password to ssh in pure bash – Gabriel Staples Oct 26 '21 at 23:33
  • I have to use a password. Can a solution like that be offered too? – Charlie Parker Nov 25 '22 at 20:21

8 Answers8

906
$ sudo apt-get install sshpass
$ sshpass -p your_password ssh user@hostname
weekens
  • 9,221
  • 75
    Yup, sometimes you can't use key based auth for various reasons.. for example right now I can't use keyauth on a plesk server because out the box it's not enabled and I don't have root. – John Hunt Jul 04 '13 at 13:33
  • 29
    +1! As a side note, you need to run plain ssh once before using sshpass, in order to confirm the RSA fingerprint – user123444555621 Aug 02 '13 at 08:08
  • 55
    -1 for having to use the password in the command. This logs the password at .bash_history in plain text on your machine. –  Apr 11 '14 at 21:18
  • 1
    Not sure, but usefull for your own virtual local servers management. Thank you! – ssoto Jan 13 '15 at 17:49
  • 3
    Try something like this stty -echo; read -s -p "Enter ssh password : " PASSWORD_SSH; stty echo; sshpass -p y$PASSWORD_SSH ssh user@hostname; in a bash script file to not have the password in the .bash_history – yunzen Apr 14 '15 at 07:33
  • 25
    @MisterDood You could run history -r after the command to erase your history. Good point though. – NuclearPeon May 14 '15 at 18:37
  • 4
    Here's a gist to install sshpass on OSX: https://gist.github.com/arunoda/7790979 – the Jun 09 '15 at 10:58
  • 8
    +1 because I couldn't care less that it is logged in .bash_history. Whatever. – Nick Manning Jun 21 '15 at 00:47
  • 6
    sshpass -p 'your_password' ssh user@hostname -p portnumber if your port differs from 22 – vladkras Jan 13 '16 at 10:44
  • 10
    @AlaskaWebHosting why not just sshpass -p "$(cat ~/credentials/server01)" ssh user@server01? – Adam K Dean Jan 13 '16 at 11:48
  • 1
    Note this sshpass won't take passphrases, but there is a fork that does: https://github.com/blue-sky-r/sshpass-p4k – Mahn Apr 12 '16 at 16:23
  • 44
    Pro tip: If you don't want to have a specific command show up in .bash_history, prefix the command with a space. It just works. However, users of this command should be more concerned that non-privileged users on the system can see the full command-line with ps, which, of course, includes the password. Since ssh sessions tend to be long-lived, this is a security issue. – CubicleSoft Jul 16 '16 at 15:47
  • 10
    If this is your first login you could use -oStrictHostKeyChecking=no to skip the host key checking. Example usage: sshpass -p 'your_password' ssh -oStrictHostKeyChecking=no user@hostname uptime – Lahmizzar Oct 12 '16 at 12:21
  • 4
    This should be the accepted answer – Deepak Mahakale Oct 25 '16 at 08:59
  • 1
    Thank you so much! I used it to brute force a SSH connection which I forgot the password (I remembered which letters and numbers I used but not the form). – Adrian Antunez Jul 04 '17 at 18:51
  • 1
    +1 did not work for me but attempts to answer the question – josinalvo Nov 30 '17 at 16:23
  • 4
    I like @yunzen comment, you can read the $PASSWORD_SSH variable from a file or as a result of another command, for example: source .env; sshpass -p $PASSWORD_SSH ssh user@hostname – emont01 May 09 '19 at 18:10
  • mac users use macports not homebrew for this one – Samie Bee Jul 29 '19 at 02:49
  • Please read the SECURITY NOTE on sshpass package description. – Pablo A Aug 01 '19 at 04:46
  • 6
    Just use sshpass -f PWFILE ssh user@host which takes the password directly from the file – clemisch Aug 17 '19 at 18:01
  • Great! To stay away from history thing, i wrote command in executable file and i'm running that. I know its not much secured, but its good than having it to visible as a plain text in a history. – Ravi Dhoriya ツ Apr 16 '20 at 15:57
  • Not working for me! – Nam G VU Sep 25 '20 at 07:07
  • This should be the accepted answer to me! – Nam G VU Jun 01 '21 at 12:54
  • 1
    E: Unable to locate package sshpass. This only works on default Debian/Ubuntu. Not all derivatives need to contain this package. – Tino Jun 29 '21 at 14:36
  • 1
    thank you for actually answering the question, I know about ssh keys, but sometimes I just have to access poorly managed servers. – Magus Jan 06 '22 at 16:49
  • can't I pass my password to the other command using ssh without a passphrase? I just want to use my password. – Charlie Parker Nov 25 '22 at 20:22
  • 1
    echo 'password' | sshpass -f /dev/stdin ssh user@somehost command – anthony Apr 06 '23 at 03:00
128

While the correct answer for your question is sshpass (see other answer for details), there is a more secure way - SSH keys. You are just three easy steps away from the solution:

All the following commands are being run on the client side, i.e. your machine

Enter the following command to start generating a rsa keypair:

# ssh-keygen

When the message 'Enter file in which to save the key' appears, just leave the filename blank by pressing Enter.

When the terminal asks you to enter a passphrase, just leave this blank (Warning: read below) too and press Enter.

Then copy the keypair onto the server with one simple command:

# ssh-copy-id userid@hostname

you can now log in without a password:

# ssh userid@hostname

WARNING: Leaving SSH keys exposed without encrypting them is a not good practice even if you encrypt your whole drive. What is much safer is to actually enter a passphrase when generating keys and then use Keychain (MacOS, Linux) or SSH agent to remember the passphrase until you signout or suspend or timeout, depending on what you prefer.

lzap
  • 2,970
  • 2
    Works fine with the default values. Using ~/rsa4live.pub didn't work for me when attempting ssh-copy-id. – Cees Timmerman Jun 04 '15 at 10:08
  • 1
    If you want this steps to work for different user, 1. ssh-keygen 2. ssh-copy-id nazir@hostname 3. ssh nazir@hostname – Venfah Nazir Jun 17 '16 at 10:23
  • 2
    For me it was ssh-copy-id -i ~/.ssh/tatu-key-ecdsa user@host – Gabriel Fair Sep 08 '17 at 21:47
  • 61
    This isn't an answer to the question. – Steve Bennett Nov 27 '17 at 23:10
  • 6
    And? The answer is above, sshpass... – lzap Nov 30 '17 at 16:21
  • 1
    will this overwrite any keys on the remote server? – Alexander Mills Aug 01 '19 at 21:03
  • 1
    No it adds to existing list. – lzap Aug 15 '19 at 12:59
  • Work for me while the selected answer didn't. – Herman Toothrot Feb 03 '20 at 09:35
  • "Enter the following command to start generating a rsa keypair:" where do I enter that command, in the server or in the client? – M.E. May 06 '20 at 07:25
  • Well, it now wants the password for ssh key :D beautiful :D the problem is not solved but we added a new layer of complexity! what an amazing solution! (Don't tell me that we can start ssh-agent and so on) that's not a solution, I want to start from my home computer to my home server with access to the internet, so this answer is not appropriate – Nusrat Nuriyev Apr 20 '21 at 10:26
  • WARNING! If you are new to ssh and public keys, do not fall into the trap of thinking that adding keys to a login makes it more secure than with a password! In contrast it makes it less secure! ssh-keys are only more secure if (a) you get rid of passwords (else you keep the insecurity of passwords, so insecurity can only rise!) and (b) you already know what you are doing (so you normally do not need that answer at all because you already know it better) and (c) everything is used and secured properly (which is much more difficult than with passwords alone if you are not used to it). – Tino Jun 29 '21 at 14:42
  • This is awesome!! Sometimes, taking the time to do it right makes a lot of sense. – Gogol Aug 22 '21 at 11:22
  • 1
    @tino absolutely it is not recommended to leave your SSH keys exposed. Instead, use ssh-agent or feature of any good OS (Linux, MacOS) - keychain. It will automatically remember your SSH keys passphrase once you enter it in the morning or after resume. Then it is totally safe. – lzap Dec 06 '21 at 11:08
  • 1
    Dropped a warning about this. – lzap Dec 06 '21 at 11:11
  • can't I pass my password to the other command using ssh without a passphrase? I just want to use my password. – Charlie Parker Nov 25 '22 at 20:22
  • And if the device doesn't support ssh key authentication? No other options? – majorgear Apr 14 '23 at 22:48
  • no prompt

    ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa

     – seunggabi Jul 16 '23 at 05:53
64

Use expect:

#!/usr/bin/expect -f
#  ./ssh.exp password 192.168.1.11 id
set pass [lrange $argv 0 0]
set server [lrange $argv 1 1]
set name [lrange $argv 2 2]

spawn ssh $name@$server
match_max 100000
expect "*?assword:*"
send -- "$pass\r"
send -- "\r"
interact

Example:

# ./1.ex password localhost ooshro
spawn ssh ooshro@localhost
ooshro@localhost's password: 
Linux ubuntu-1010-server-01 2.6.35-25-generic-pae #44-Ubuntu SMP Fri Jan 21 19:01:46 UTC 2011 i686 GNU/Linux
Ubuntu 10.10

Welcome to Ubuntu!
 * Documentation:  https://help.ubuntu.com/
Last login: Tue Mar  1 12:41:12 2011 from localhost
ooshro
  • 11,262
  • 2
    It worked but it can't print stdout of remote machine. – Eonil Mar 01 '11 at 12:41
  • it works well for some machine can't put the key in advance since IP address is changed everytime. – larrycai Dec 19 '12 at 06:14
  • 4
    it will be good to add -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null for ssh command as well to avoid accept the machine into known_hosts – larrycai Dec 19 '12 at 06:15
  • 1
    B.. b but muh ssh keys... – Damien Jun 01 '17 at 05:50
  • More detailed example of this script you can find at:

    https://linuxaria.com/howto/2-practical-examples-of-expect-on-the-linux-cli

    This examples here should work with remote commands too

     – Radon8472 Jul 11 '18 at 13:39
  • This should be the accepted answer. Because it works most of the time. If not, because expect is missing on your machine, there are tons of variants you can use instead. One nearly always works: https://en.wikipedia.org/wiki/Expect – Tino Jun 29 '21 at 14:55
  • I can't install expect but do have access to ssh. Can't ssh send the password to the other command I'm trying to run? echo $SU_PASSWORD | /afs/cs/software/bin/reaut – Charlie Parker Nov 25 '22 at 20:23
58

SSH single sign-on is usually achieved with public key authentication and an authentication agent. You could easily add your test VM key to an existing auth agent (see example below). Other methods such as gssapi/kerberos exist but are more complex.

sshpass

In situations where password is the only authentication method available, sshpass can be used to automatically enter the password. Please pay particular attention to the SECURITY CONSIDERATIONS section of the man page. In all three options, the password is visible or stored in plaintext at some point:

Anonymous pipe (recommended by sshpass)

# Create a pipe
PIPE=$(mktemp -u)
mkfifo -m 600 $PIPE
# Attach it to file descriptior 3
exec 3<>$PIPE
# Delete the directory entry
rm $PIPE
# Write your password in the pipe
 echo 'my_secret_password' >&3
# Connect with sshpass -d
sshpass -d3 ssh user@host

# Close the pipe when done
exec 3>&-

It is quite cumbersome in bash, arguably easier with programming languages. Another process could attach to your pipe/fd before the password is written. The window of opportunity is quite short and limited to your processes or root.

Environment variable

# Set your password in an environment variable
 export SSHPASS='my_secret_password'
# Connect with sshpass -e
sshpass -e ssh user@host

You and root can read your process' environment variables (i.e. your password) while sshpass is running (cat /proc/<pid>/environ | tr '\0' '\n' | grep ^SSHPASS=). The window of opportunity is much longer but still limited to your own processes or root, not other users.

Command-line argument (least secure)

 sshpass -p my_secret_password ssh user@host

This is convenient but less secure as described in the man page. Command line arguments are visible to all users (e.g. ps -ef | grep sshpass). sshpass attempts to hide the argument, but there is still a window during which all users can see your password passed by argument.

Side note

Set your bash HISTCONTROL variable to ignorespace or ignoreboth and prefix your sensitive commands with a space. They won't be saved in history.

SSH public key authentication

# Generate a key pair
# Do NOT leave the passphrase empty
ssh-keygen
# Copy it to the remote host (added to .ssh/authorized_keys)
ssh-copy-id user@host

The passphrase is very important. Anyone somehow obtaining the private key file won't be able to use it without the passphrase.

Setup the SSH authentication agent

# Start the agent
eval `ssh-agent`
# Add the identity (private key) to the agent
ssh-add /path/to/private-key
# Enter key passphrase (one time only, while the agent is running)

Connect as usual

ssh user@host

The advantage is that your private key is encrypted and you only need to enter its passphrase once (via a safer input method too).

nrolans
  • 763
  • 16
    If you really can't resist answering "don't do that", this is how you should do it! Answer the actual question and then throw in your unsolicited advice at the end. Good job @nrolans. – Timmmm Dec 18 '19 at 10:59
  • sshpass is not an option - there is not such thing in git bash. it should be installed – Nusrat Nuriyev Apr 20 '21 at 10:32
  • ssh-add is what I was looking for! – ElyashivLavi Oct 11 '21 at 08:22
  • I can't install expect but do have access to ssh. Can't ssh send the password to the other command I'm trying to run? echo $SU_PASSWORD | /afs/cs/software/bin/reaut – Charlie Parker Nov 25 '22 at 20:24
  • What is the difference in security between using -d with anonymous pipe (gpg -dq pwd.encrypted >&3 as shown above, and sshpass -f <(gpg -dq pwd.encrypted) ssh host? AFAIK process substitution creates an anonymous pipe. – nyg Feb 25 '23 at 01:35
36

I am surprised nobody mentioned plink from the putty-tools package in Ubuntu:

plink user@domain -pw mypass  [cmd]

It also available on Windows and the syntax is mostly compatible with the openssh client.

eadmaster
  • 837
  • 9
  • 6
23

This might not be any use to you, but you can do it with Perl: 

\#!/usr/bin/perl  
use warnings;  
use strict;  

use Net::SSH::Perl;  
my $host = 'remote.serv.er';  
my $user = 'root';  
my $pass = 'hunter2';  
my $ssh = Net::SSH::Perl->new('$host');  
$ssh->login('$user', '$pass') or die "Oh noes! $!";
kaiser
  • 1,241
James L
  • 6,115
  • 1
  • 23
  • 26
9

I prefer passh https://github.com/clarkwang/passh

sshpass is broken by design.

when the ssh server is not added already in my known_hosts, sshpass will not show me the message to add the server to my known hosts, passh do not have this problem.

Login to a remote server:

$ passh -p password ssh user@host
Badr Elmers
  • 276
  • 3
  • 6
  • 1
    How to install on mac osx? – PKHunter Mar 15 '22 at 21:53
  • @PKHunter the github repo says it works in mac os too, so you have to compile it first, this is what I did in windows too. I do not use mac os so cannot tell you how to compile there , but google can help you, it is one file so easy to compile. – Badr Elmers Mar 16 '22 at 06:44
  • @PKHunter it does work on macOS. Here's a 1-liner: git clone https://github.com/clarkwang/passh && cd passh && cc -o passh passh.c && cp passh /usr/local/bin – luckman212 Jul 14 '23 at 14:57
6

Depending on your automation needs, perhaps Ansible would be a good fit for you. It can nicely manage things like prompting for password, prompting for sudo password, various ways of changing use, securely using encrypted secrets (vault).

If that’s not suitable, I would suggest Expect, as suggested in another answer.

Cameron Kerr
  • 4,109