Re: SFTP Batch without key

From: Per Hedeland (per_at_hedeland.org)
Date: 08/06/04


Date: Thu, 5 Aug 2004 22:09:36 +0000 (UTC)

In article <4112669B.7020505@mattila.fi> Ville Mattila
<ville@mattila.fi> writes:
>Per Hedeland wrote:
>> I.e. in your case, you could simply have a script that gets the password
>> from wherever and prints it on stdout, specify that via SSH_ASKPASS, set
>> environment DISPLAY (to anything at all) to make the illusion complete,
>> and you're done. The security implications of a script/program that
>> prints a password on stdout when run should be obvious, but if you're
>> prepared to have the password in cleartext in a file there isn't much
>> actual loss in security by having something print it.
>
>Hi there!
>
>I tried this trick, thanks for a good tip. For some reason, I couldn't
>get it work at all. Even I set a SSH_ASKPASS to point a script that just
>echos the password, and set DISPLAY to be some foo, the sftp still asks
>for the password.
>
>Would there be some extra settings that should be set?

No, but you can't test with a simple interactive invocation of sftp
(directly or via a script) - from the ssh man page:

       If ssh needs a passphrase, it will read the passphrase from the
       current terminal if it was run from a terminal. If ssh does not
                                                        ^^^^^^^^^^^^^^^
       have a terminal associated with it but DISPLAY and SSH_ASKPASS
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       are set, it will execute the program specified by SSH_ASKPASS and
       open an X11 window to read the passphrase.

(Actually the description isn't quite correct - it is "the program
specified by SSH_ASKPASS" that opens the X11 window (if any), not ssh.)

The original question was about a cronjob, which fulfills the
requirement of not having a terminal. If you have 'setsid' as a command
on your OS, you can try interactively with something like

$ setsid sftp -b batchfile remotehost

- worked for me on RedHat 7.3 with SSH_ASKPASS set to a script that
simply echoed the password.

--Per Hedeland
per@hedeland.org



Relevant Pages

  • Re: Mommy, tell cron to stop sending me mail!
    ... Per Hedeland wrote: ... I don't have the periodic jobs running right now. ... ifconfig fxp0 down ... or errors from the script). ...
    (comp.unix.bsd.freebsd.misc)
  • Re: decode subject - procmail problem [perl]
    ... per@xxxxxxxxxxxx (Per Hedeland) wrote: ... few days ago i finished my procmail script for collecting info about my ... headers while they're still headers... ...
    (comp.mail.sendmail)
  • Re: 5.3 wont accept mail
    ... Per Hedeland wrote: ... I forgot to turn sendmail on, ...
    (comp.unix.bsd.freebsd.misc)
  • [HPADM] [SUMMARY] RE: SFTP Scripting
    ... We are trying to set up an SFTP environment with a partner. ... need to now is to script it so it is non-interactive. ... Echo "Ending of test sftp script ... ...
    (HP-UX-Admin)
  • Re: Ssh and sftp via here document
    ... The file transfer is performed by sftp during an ssh ... session in which the user running the script temporarily becomes ... can be done without storing cleartext passwords in the script. ...
    (comp.security.ssh)