[TriLUG] ssh command line

[Ben Pitzer]

Folks,

I have no doubt that Roy is aware of the security risk inherent in doing
such a thing, but I want to put a warning out there for anyone who isn't
aware of it.  Either the script will need to have the password in it, or
else it will need to get it from somewhere, which means that the password
will need to be somewhere on the system in a config file, easily found for
anyone who can find an exploit granting them enough privileges to read it.
That is far easier than it might seem.  Even if the file is stored encrypted
or hashed, the script which requires it will need to have a key for it,
meaning that anyone who can trace the script can capture the key to access
the file.  Again, easier than it sounds.

It's also worth noting that whatever user executes this script, passing the
authentication via the CLI, should make sure that it's not logging to a
history file, .bash_history for example, or else that password will
potentially be stored there in cleartext, and also easily accessible.

Roy,  you say that you can't use SSH public key auth....why not?  It seems
to me that the security risks of using public key auth are no worse than
what you're suggesting by throwing the password into the CLI.  There has to
be some way for you to mitigate the possible exposure of using public key
auth without having to try something exotic and more complicated to achieve
what you're looking for, I should think.  Of course, you probably know
something i don't, so I'm just curious about what makes public key auth a
non-option.

Regards,
Ben Pitzer




On Thu, Aug 21, 2008 at 3:59 PM, Roy Vestal <rvestal at trilug.org> wrote:

> We're working with a script that we need to pass via the cmd line from
> one server to another (automation). We want to use ssh without using
> shared keys. Is there a way to pass the password to the command line?
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG FAQ  : http://www.trilug.org/wiki/Frequently_Asked_Questions
>