Shell Programming and Scripting

You can view the commandline arguments of running things via ps aux

The safest way to pass a password into something is a terminal, which is why traditional ssh insists upon it.

Some sort of stream would be better than a commandline arg. Can sshpass read a password from stdin?

Oh! I didn't know about that! So, if my script runs for say 1 minute, will the password be visible for that one minute in

Code:

ps aux

or for the entire session? (Sorry again, if this is a stupid question!)

I'll try to avoid sshpass from now, but I'm not sure if sshpass can read a password from stdin.

Try it and see?

It's possible that sshpass makes some effort to conceal the password once its passed. It could exec() again with different parameters and blank it. But even so, there'd be an unavoidable eyeblink when the password was exposed. Anyone could extract the password with obsessive logging.

These weaknesses are well-known, so sshpass has many safer options fortunately. sshpass can read a file, according to its manpage, so you could do this:

Code:

OLDMASK=$(umask)
umask 077 # Force rw------- permissions on /tmp/$$
exec 5>/tmp/$$ #Create temp file /tmp/$$ and write with FD 5
exec 6</tmp/$$ # Read from temp file /tmp/$$ with FD 6
rm /tmp/$$ # DELETE tempfile /tmp/$$ so nothing else can get it
umask $OLDMASK # Restore umask

cat <<EOF >&5 # Finish writing to /tmp/$$
$PASSWORD
EOF

exec 5>&- # Close FD 5

sshpass -d6 ...

exec 6<&- # Close FD 6

Which should protect the password much better. The temp file won't even be listed in /tmp/ while sshpass is running.

I'll try this first thing tomorrow! Thanks for your help and I learned a lot!