Programming

I'm trying to write a foreground (password prompt) ssh command, passing in a here doc - any idea where I'm going wrong?

Code:

ssh <user>@<targetserver> /usr/seos/bin/sesu - <targuser> -c /usr/bin/ksh "param1" << EOF
date
echo ${1}
EOF

Tells me "Invalid option param1". However a simple date call with no params work (always prompts for password btw)

Code:

ssh <user>@<targetserver> /usr/seos/bin/sesu - <targuser> -c "/usr/bin/ksh" << EOF
date
EOF

Looking for the correct method to do this in the foreground with password login (I previously posted about the method in the background with passwordless ssh setup) at: Background SSH using here document

ssh, and most other sane login systems, are designed to never, ever read a password from a script. This is a security feature, since retrievably-stored passwords are almost impossible to keep safe. "interactive password authentication" means "password typed by a human being in realtime authentication" and nothing else is supposed to do. You'd need to install third-party brute forcing utilities like expect to even try, and that'd be much harder than the proper way, i.e. using some noninteractive form of authentication.

The proper way to do automatic ssh logins is with keys.

ssh is able to prompt for a password even when stdin is redirected because it can simply open /dev/tty direct, whenever a terminal is available; and if one isn't available, it has no business accepting a password...

But that's my point - this is in the foreground - it is interactive. I want it to prompt the user for a password and for them to enter it. This is a backup method in case SSH DSA keys are corrupted or not in place for some reason.

You're just having problem to pass parameters to shell. If you give -s then the shell expects script from stdin, and will take your arguments:

Code:

[mute@geek ~]$ ssh mute@localhost "/bin/sh -s -- 'Hello World' 'this is mute'" <<'EOF'
printf 'Arg: %s\n' "$@"
EOF

mute@localhost's password:
Arg: Hello World
Arg: this is mute

Ahh, I see. Pardon me.

A here-document won't stop it from being able to read a password from the user. ssh just opens /dev/tty to do that.

I'm running a Korn shell (ksh) and I think the "-s" switch gave me issues.... are those two dashes required? i.e. the "--" after "-s"? Thanks!

---------- Post updated at 18:18 ---------- Previous update was at 18:17 ----------

Nay bother. the interactive password check is working AOK. It's just the process of passing through params into a new shell with commands within the here document that I'm struggling a little with.

I'll explain what the various parts do better. -s tells it to read from standard input even when arguments are given, so it assumes arguments are arguments ($1 $2 $3) instead of files.

Try this in your shell:

Code:

$ sh -s -- arg1 arg2 arg3
# you are now in a new shell
$ echo $1
arg1
$ echo $2
arg2
$ echo $3
arg3
$ exit
$

So the arg1, arg2, arg3 force the $1, $2, $3 variables into what you want.

So when you do the same thing over ssh:

Code:

ssh username@host exec /bin/sh -s -- arg1 arg2 arg3 <<'EOF'
echo "$1"
echo "$2"
echo "$3"
EOF

...Since it's <<"EOF" and not <<EOF, the contents of the here-document are sent totally raw and uninterpreted. You get no substitution. The only things you get are the ones you pass in where arg1, arg2, arg3 are. These substitute as usual, before the command is run.