sshpass command with Examples

Last updated: March 13, 2024 | Linuxopsys

The sshpass command is a non-interactive ssh password authentication command line tool that can assist system administrators in automating SSH logins. This tool is convenient when you need to automate SSH logins, such as in a script, without having to manually enter a password each time. This can help save time and streamline processes, especially when managing multiple servers or devices.

The sshpass command is generally discouraged because it is not regarded as a secure authentication method. This is because the password is passed in cleartext on the command line and saved in the user's shell history file, which other system users with access to the system can potentially view.

sshpass command

The sshpass utility was created to execute SSH using keyboard-interactive password authentication in a non-interactive manner. SSH requires direct TTY access to guarantee that the password is being inputted by an interactive keyboard user. However, sshpass runs SSH and supplies password to ssh prompt in a dedicated TTY, fooling SSH into believing that an interactive user is entering the password.

The password prompt utilized by Secure Shell (SSH), on the other hand, is hardcoded into the sshpass utility.

The sshpass utility has several features that make it useful for automated SSH logins. These include:

  • Ability to provide the password on the command line or in a file
  • Supports password authentication for SSH connections
  • Ability to use environment variables to pass the password
  • Compatible with multiple operating systems, including Ubuntu, Debian, Fedora, and Arch Linux
  • Can be used with a variety of other command line tools, such as GPG, SCP, and Rsync.

The sshpass command takes uses the -p to take the password as an argument and then provides it to the ssh command for authentication. The password can also be read from a file using the -f option followed by the file name.

Syntax

The basic syntax of the sshpass command is as follows:

sshpass [-ffilename|-dnum|-ppassword|-e] [options] command arguments

where:

  • -f filename - Reads the first line of a file for the password.
  • -d num - allows you to specify an open file descriptor to read the password from. The number is a file descriptor inherited by sshpass from the process that runs it, and the password is read from the open file descriptor specified by this option.
  • -p password - Specifies the password as a clear text argument.
  • -e - Specifies that the password should be taken from the SSHPASS environment variable.
  • command - Specifies the command to be executed for example SCP.
  • arguments - Any arguments to be passed to the command.

Installing sshpass

The sshpass command can be installed on various operating systems, including Ubuntu/Debian, Fedora, CentOS, and Arch Linux. Depending on the type of distribution you are using, use the following commands to install sshpass.

Ubuntu/Debian

apt install sshpass

Fedora

dnf install sshpass

Arch Linux

pacman -S sshpass

CentOS Stream / Red Hat

yum install sshpass

sshpass command Examples

This section provides several examples of how to use the sshpass in conjunction with various utilities such as rsync, SCP, and GPG to gain a better understanding of its capabilities and practical applications.

1. Automation ssh login with password

The sshpass tool can be used to automate the login process for SSH by specifying the password on the command prompt using the -p option or the -e option to take the password from the SSHPASS environment variable.

The following is an example of using the -p option for ssh password automation:

sshpass -pmint ssh [email protected]              
sshpass with ssh

The password can also be stored in a user-defined variable and passed to the sshpass command:

read pass
sshpass -p$pass ssh [email protected]
sshpass with variable

In the preceding example, we used the read bash builtin command to read password from the user input and store it in the "pass" variable. The variable "$pass" was then passed as a password argument to the sshpass tool.

As previously stated, the -e option with sshpass allows you to pass the password as an environment variable rather than as a command line argument. This is useful if you want want to avoid exposing the password in the process list.

To use the -e option, you will first need to set the environment variable SSHPASS to the password value. Then, when you run sshpass, you use the -e option to indicate that the password should be read from the environment variable.

Here is an example of how to use the -e option with sshpass:

export SSHPASS="mint"
sshpass -e ssh [email protected]

In this example, the export command is a built-in bash shell command used to create environment variables.

2. Using SCP

sshpass can be used in conjunction with the scp command short for secure copy to securely transfer files between servers. For example, to transfer a file from a local machi to a remote machine, you can use the following command:

sshpass -pmint scp update.sh [email protected]:~/
sshpass scp

Note: SCP protocol has been used for decades and has many known security risks. Deprecation SCP protocol is already in process in many Linux distributions in the OpenSSH. Alternatively use well defined SFTP protocol.

3. Using rsync

The sshpass tool can also be used in conjunction with the rsync command to synchronize files between servers. For example, to synchronize a directory from a local host to a remote host, you can use the following command:

sshpass -pmint rsync -avz backups/ [email protected]:~/
sshpass rsync

4. Using GPG

Another valuable application of sshpass is to automate the decryption process when working with GPG encryption. GPG, also known as the GNU Privacy Guard, is a widely-used tool for securing and signing data. Consider the following example, which uses gpg to encrypt a file containing an ssh password and then passes the decrypted password to sshpass to authenticate with an SSH server:

First, create a file containing the ssh password:

echo 'mint' > .sshpass

Next, use the -c option together with gpg to encrypt the file:

sudo gpg -c .sshpass
sshpass gpg

For security reasons, remove the unencrypted file.

Finally, decrypt the gpg encrypted file and pass the password to sshpass:

pass=$(sudo gpg -d -q .sshpass.gpg) && sshpass -p$pass ssh [email protected]

5. Use sshpass in a bash shell script

The sshpass can be used in a bash shell script to automate remote server administration tasks, such as performing backups, system updates and upgrades, and more. For example, you can use the following bash script to log in to multiple servers so you can update and upgrade all of them:

#!/usr/bin/bash

# This script automates server updates using sshpass. 
# It prompts the user to enter the number of servers to manage, and then it promts the user for hostname/ip, username, and password for each server.
# The gathered information is stored in an associative array, where the server hostname/ip is the key and the value is a combination of the username and password.
# The script then loops through each server, extracts the username and password from the associative array, and uses sshpass to execute the system update and upgrade command on the remote server. 

read -p "Enter the number of servers to manage: "  server_count

# Declare an associative array to store the server information
declare -A server_info

# Loop through each server and gather the hostname/ip, username, and password
for (( i=1; i <= $server_count; i++ ))
do
	read -p "Enter server hostname/ip: "  server_ip
	read -p "Enter server username: " server_user
	# Read the password without echoing it to the terminal
	read -s -p "Enter server password: "  server_pass

	# Store the server information in the associative array
	server_info+=(["$server_ip"]="$server_user $server_pass")
	echo -e "\n"

done

# Loop through each server and execute the system update and upgrade command
for server_ip in ${!server_info[@]}
do
    # Declaring an indexed array to store the username and password for each server
    declare -a user_and_pass
	# A counter to keep track of the elements in the user_and_pass array
    count=0
    
    # Loop through the server information for each server
    for info in ${server_info[$server_ip]}
    do
        # Store the username and password in the user_and_pass array
        user_and_pass[$count]=$info
		# Increment the count
		(( count++ ))
    done

    # Print a message indicating that the script is applying system updates and upgrades on the current server
    echo "Applying system update and upgrades on server: $server_ip"
    
    # Use sshpass to execute the system update and upgrade command on the remote server
    sshpass -p "${user_and_pass[1]}" ssh "${user_and_pass[0]}"@$server_ip "sudo apt update -y && sudo apt upgrade -y"
    
    # Print a message indicating that the script has finished upgrading the current server
    echo "Done with the server upgrades"
done

# Exit with a status code of 0 to indicate success
exit 0
using sshpass in a bash script

Conclusion

While sshpass can be very useful for automating tasks, it should be used with caution as it stores the password in plain text within the script. When possible, use public-key authentication rather than password-based authentication to ensure security.

I believe the examples I've provided are sufficient to give you a thorough understanding of this fantastic utility, but if you get stuck, you can always refer to the sshpass man page.

SHARE

Comments

Please add comments below to provide the author your ideas, appreciation and feedback.

Leave a Reply

Leave a Comment