[TriLUG] ssh command line

Roy Vestal rvestal at trilug.org
Sat Sep 6 21:33:30 EDT 2008


Sorry I didn't get back to this sooner.

So, the main reason we do not want to use keys, we're using OpenSSH on 
windows as the server, and we're using a web interface that will be 
calling a SOAP API to do some of the work. This work will need to send 
scripting info via ssh for the windows command line. Unfortunately for 
us, we have a policy that doesn't allow these ssh auth keys to be 
shared, which I find funny.

Anywho, we are using a different tool via Windows AD (trying to not 
throw up) that does the same thing that we needed this script to do. :)

Ben Pitzer wrote:
> Folks,
>
> I have no doubt that Roy is aware of the security risk inherent in doing
> such a thing, but I want to put a warning out there for anyone who isn't
> aware of it.  Either the script will need to have the password in it, or
> else it will need to get it from somewhere, which means that the password
> will need to be somewhere on the system in a config file, easily found for
> anyone who can find an exploit granting them enough privileges to read it.
> That is far easier than it might seem.  Even if the file is stored encrypted
> or hashed, the script which requires it will need to have a key for it,
> meaning that anyone who can trace the script can capture the key to access
> the file.  Again, easier than it sounds.
>
> It's also worth noting that whatever user executes this script, passing the
> authentication via the CLI, should make sure that it's not logging to a
> history file, .bash_history for example, or else that password will
> potentially be stored there in cleartext, and also easily accessible.
>
> Roy,  you say that you can't use SSH public key auth....why not?  It seems
> to me that the security risks of using public key auth are no worse than
> what you're suggesting by throwing the password into the CLI.  There has to
> be some way for you to mitigate the possible exposure of using public key
> auth without having to try something exotic and more complicated to achieve
> what you're looking for, I should think.  Of course, you probably know
> something i don't, so I'm just curious about what makes public key auth a
> non-option.
>
> Regards,
> Ben Pitzer
>
>
>
>
> On Thu, Aug 21, 2008 at 3:59 PM, Roy Vestal <rvestal at trilug.org> wrote:
>
>   
>> We're working with a script that we need to pass via the cmd line from
>> one server to another (automation). We want to use ssh without using
>> shared keys. Is there a way to pass the password to the command line?
>> --
>> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
>> TriLUG FAQ  : http://www.trilug.org/wiki/Frequently_Asked_Questions
>>
>>     




More information about the TriLUG mailing list