Re: SFTP Batch without key
From: Per Hedeland (per_at_hedeland.org)
Date: Thu, 5 Aug 2004 22:09:36 +0000 (UTC)
In article <4112669B.firstname.lastname@example.org> Ville Mattila
>Per Hedeland wrote:
>> I.e. in your case, you could simply have a script that gets the password
>> from wherever and prints it on stdout, specify that via SSH_ASKPASS, set
>> environment DISPLAY (to anything at all) to make the illusion complete,
>> and you're done. The security implications of a script/program that
>> prints a password on stdout when run should be obvious, but if you're
>> prepared to have the password in cleartext in a file there isn't much
>> actual loss in security by having something print it.
>I tried this trick, thanks for a good tip. For some reason, I couldn't
>get it work at all. Even I set a SSH_ASKPASS to point a script that just
>echos the password, and set DISPLAY to be some foo, the sftp still asks
>for the password.
>Would there be some extra settings that should be set?
No, but you can't test with a simple interactive invocation of sftp
(directly or via a script) - from the ssh man page:
If ssh needs a passphrase, it will read the passphrase from the
current terminal if it was run from a terminal. If ssh does not
have a terminal associated with it but DISPLAY and SSH_ASKPASS
are set, it will execute the program specified by SSH_ASKPASS and
open an X11 window to read the passphrase.
(Actually the description isn't quite correct - it is "the program
specified by SSH_ASKPASS" that opens the X11 window (if any), not ssh.)
The original question was about a cronjob, which fulfills the
requirement of not having a terminal. If you have 'setsid' as a command
on your OS, you can try interactively with something like
$ setsid sftp -b batchfile remotehost
- worked for me on RedHat 7.3 with SSH_ASKPASS set to a script that
simply echoed the password.