Home / ubuntu / Questions / 87956
Accepted
Netmoon
Asked: 2011-12-16 03:36:55 +0800 CST

Can you set passwords in .ssh/config to allow automatic login?

  • 772

I'm using Ubuntu 11.10 and ssh for connecting to many servers daily, so I put their parameters in the .ssh/config file like this:

Host Home
User netmoon
Port 22
HostName test.com

Is there a way to put passwords for each connection in this file, so that, when the server asks for the password, the terminal enters its password and sends it to the server?

I need this because sometimes I'm away from the PC and when I get back, type a password, and press Enter the terminal says CONNECTION CLOSED.

P.S. I don't want to use a public/private key pair.

command-line

15 Answers

  1. Best Answer

    Trading off security for convenience never ends well...

    Could you use ssh-copy-id from the openssh-client package?

    From man ssh-copy-id:

    ssh-copy-id is a script that uses ssh to log into a remote machine and append the indicated identity file to that machine's ~/.ssh/authorized_keys file.

    • 57

  2. If you don't really want to use a public/private key pair, you can write an expect script to enter the password for you automatically depending on the destination address.

    Edit: What I mean is that you can have a script that, on one hand, uses expect to enter the password for you and, on the other hand, reads the password for a given user and host from a configuration file. For example, the following python script will work for the sunny day scenario:

    #!/usr/bin/python                                                                                                                        
import argparse
from ConfigParser import ConfigParser
import pexpect

def main(args):
    url = args.url
    user, host = url.split('@', 1)

    cfg_file = 'ssh.cfg'
    cfg = ConfigParser()
    cfg.read(cfg_file)
    passwd = cfg.get(user, host)

    child = pexpect.spawn('ssh {0}'.format(url))
    child.expect('password:')
    child.sendline(passwd)
    child.interact()

if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='Run ssh through pexpect')
    parser.add_argument('url')
    args = parser.parse_args()
    main(args)

    and the configuration file format would be as follows:

    [user_1]
host1 = passwd_1
host2 = passwd_2

[user_2]
host1 = passwd_1
host2 = passwd_2

    Note: As explained, the python script would need to be much more complex to handle all the possible errors and question messages from ssh and all the possible URLs (in the example it's assumed that it will be something like user@host, but the user part isn't used most of the times), but the basic idea would still be the same. Regarding the configuration file, you may use a different configuration file or use .ssh/config and write your own code to parse that file and get the password for a given user and host.

    • 27

  3. How about ProxyCommand:

    Host Home-raw
    HostName test.com
Host Home
   User netmoon
   Port 22
   ProxyCommand sshpass -pmypass ssh netmoon@%h-raw nc localhost %p

    You can use ssh -W instead of nc as well:

    ProxyCommand sshpass -pmypass ssh netmoon@%h-raw -W localhost:%p
    • 24

  4. There also is sshpass program for that. How to use: sshpass -p MyPa55word ssh [email protected]

    • 21

  5. No. This is not possible I'm afraid.

    The only real alternative is to use private keys but you've said you don't want to (why not?).

    • 16

  6. You can create a simple ssh script replacement in /usr/local/bin:

    #!/bin/bash

host=$1
password=`awk "/#Password/ && inhost { print \\\$2 } /Host/ { inhost=0 } /Host $host/ { inhost=1 }" ~/.ssh/config`

if [[ -z "$password" ]]; then
  /usr/bin/ssh $*
else
  sshpass -p $password /usr/bin/ssh $*
fi

    And then in your ~/.ssh/config file you can use

    Host foohost
    User baruser
    #Password foobarpassword
    • 8

  7. Answering the question you asked, no it's not possible to configure a default password in an ssh config file.

    But if indeed, as you say, it's "because sometimes I stand away from the PC and when I go back, type a password and press Enter the terminal says CONNECTION CLOSED", then why not prevent closing the session instead? SSH can keep connections alive for you.

    Host Home
  User netmoon
  Port 22
  HostName test.com
  ServerAliveInterval 300
  ServerAliveCountMax 2
    • 4

  8. I use an application from VanDyke Software called SecureCRT.

    http://www.vandyke.com/products/securecrt/

    It is not free, but very reasonably priced. I have used it for years (running on Windows, or using Wine) for remote access, terminal emulation, and (dispersed) network management. They finally released a native Linux version of this at the beginning of 2011.

    It has support for complex login settings (or scripts), stored passwords (or certificates), tabbed multiple sessions, etc.

    At startup you can choose which remote target (and protocol) from a structured list (tree view) of stored remote (or local) machines, or just create a connection (which is then stored).

    I have found it particularly useful for remote sites with advanced authentication, non-standard ports, or firewall-access negotiation.

    If you are doing remote access a lot (part of your main role), then this application will justify its expense in the first month of use.

    • 3

  9. Inspired by @Arek Burdach's answer and others' wrapper, I've wrote a wrapper that should be more robust which facilitated ssh own command parsing.

    UPDATE 2021-04-26: Fixed wrapper when a host only matches the prefix (e.g. Host is none)

    Here's how it work:

    • We first dry-run the ssh with -v and a non-existent ProxyCommand, so it wouldn't make any network connection and exit at once.
    • Then we extract the line like debug1: /home/misty/.ssh/config line 42: Applying options for XXXXXX. But the ssh output the errlog with \r, so we replaced them before passing into grep.

    According to my test, ssh will only recognize the first -o ProxyCommand=XXX in commandline, even if there's second ProxyCommand option in the cmdline, or there's ProxyCommand in ~/.ssh/config, so our method will be very very stable ;)

    For ssh

    #!/usr/bin/env bash
ORISSH=/usr/bin/ssh
ssh_dryrun=$($ORISSH -v -o "ProxyCommand=FAKE_PROXY_STUB %h %p" "$@" 2>&1 | sed -e 's/\r/\n/g')
host=$( grep -oP 'Applying options for \K(.*?)$' <<< $ssh_dryrun | head -n 1 )

if [[ $host == "*" ]]; then
  password=''
else
  password=`awk "/#Password/ && inhost { print \\\$2 } /^Host/ { inhost=0 } /Host $host$/ { inhost=1 }" ~/.ssh/config`
fi

if [[ -z "$password" ]]; then
  $ORISSH "$@"
else
  sshpass -p $password $ORISSH "$@"
fi

    For scp:

    #!/usr/bin/env bash
ORISCP=/usr/bin/scp
scp_dryrun=$($ORISCP -v -o "ProxyCommand=proxyhost %h %p" "$@" 2>&1 | sed -e 's/\r/\n/g')
host=$( grep -oP 'Applying options for \K(.*?)$' <<< $scp_dryrun | head -n 1 )

if [[ $host == "*" ]]; then
  password=""
else
  password=`awk "/#Password/ && inhost { print \\\$2 } /^Host/ { inhost=0 } /Host $host$/ { inhost=1 }" ~/.ssh/config`
fi

if [[ -z "$password" ]]; then
  $ORISCP "$@"
else
  sshpass -p $password $ORISCP "$@"
fi
    • 3

  10. Thanks, Arek for the inspiration...

    Rather than running another shell process, this is just a function running in the current bash shell. It runs a single awk command to parse the config file and figure out if it should take the password from a shell variable or from the password written cleartext into the ssh config file (with awk in an eval instead of declare due to issues I hit using declare).

    I tried so many ways of using sshpass directly in an ssh config file using ProxyCommand, but nothing seemed to work as expected, except when I could log in to a box via RSA and then I needed to send a password to open my encrypted directory. However, my function below seems to work for me in all cases, even for Cygwin.

    # In your .bash_profile
function ssh(){
    host=$1;
    unset PASSWORD
    unset PASSVAR
    eval $(awk "/ *#[Pp]assvar / && inhost { printf \"PASSVAR=%s\",\$2; exit 1 } / *#[Pp]assword / && inhost { printf \"PASSWORD=%s\",\$2; } /^#?[Hh][oO][sS][tT] / && inhost { inhost=0; exit 1 } /^[Hh][oO][sS][tT] $host\$/ { inhost=1 }" ~/.ssh/config)
    if [[ -z "$PASSWORD" ]] && [[ -z "$PASSVAR" ]]; then
        /usr/bin/ssh -q $* 2>/dev/null
    else
       if [[ -n "$PASSVAR" ]]; then
          PASSWORD=$(TMP=${!PASSVAR-*};echo ${TMP##*-})
       fi
       /usr/local/bin/sshpass -p"$PASSWORD" /usr/bin/ssh -q $* 2>/dev/null
    fi
}
# and setup your passwords (perhaps in .bashrc instead...)
MYPASS_ENVVAR=SomePassword
MYPASSWD_FROM_FILE=$(</home/me/.passwd_in_file)

    Then a ~/.ssh/config section looks like this:

    Host MyHostname
 Port 22
 Hostname 2.1.2.2
 User merrydan
 #Passvar MYPASS_ENVVAR
 #Password Some!Password

    If a #Passvar exists in the config section this overrides the #Password.
    $MYPASS_ENVVAR is the environment variable holding your password.

    Enjoy!

    And something to handle most scp scenarios (not fully fleshed but at least a start...)

    function scp(){
    host=$(echo $* | perl -pe 's/^.*?([A-Za-z-1-9-]+):.*?$/\1/;');
    unset PASSWORD
    unset PASSVAR

    eval $(awk "/#[Pp]assvar / && inhost { printf \"PASSVAR=%s\",\$1; exit 1; } /^ *#[Pp]assword / && inhost { printf \"PASSWORD=%s\",\$2; } /^#?[Hh][oO][sS][tT] / && inhost { inhost=0; exit 1; } /^[Hh][oO][sS][tT] $host\$/ { inhost=1; }" ~/.ssh/config)
    if [[ -z "$PASSWORD" ]] && [[ -z "$PASSVAR" ]]; then
        #echo /usr/bin/scp -3 $*
        /usr/bin/scp -3 $* || true
        #echo "SSH Exit Code $?"
    else
       if [[ -n "$PASSVAR" ]]; then
          #PASSWORD=`echo ${!PASSVAR}`
          PASSWORD=$(TMP=${!PASSVAR-*};echo ${TMP##*-})
       fi
       #echo /usr/local/bin/sshpass -p"$PASSWORD" /usr/bin/scp -3 $*
       /usr/bin/sshpass -p"$PASSWORD" /usr/bin/scp -3 $* || true
       #echo "SSHPass Exit Code $?"
    fi
}
    • 2