Scripts using SSH and SSH_ASKPASS

From: Jose R. Valverde (jr_at_cnb.uam.es)
Date: 02/10/05

  • Next message: Richard E. Silverman: "Re: SFTP and SCP" 
    Date: Thu, 10 Feb 2005 13:05:11 +0000 (UTC)

    I have seen this problem asked many times and had to dealt with it myself, but
    no generic examples or clear explanations. I expect this post will help clear
    out doubts and provide sample code for the future.

    >I just wanted to use ssh with lincvs on my FC3 box but it seems that I cannot
    >get my ssh which comes with FC3 to work properly (OpenSSH_3.9p1, OpenSSL 0.9.7a
    >Feb 19 2003). I checked in the shellscript that I use to start up ssh that (1)
    >SSH_ASKPASS and DSIPLAY are in the environment and make sense (i.e., the
    >askpass program is found and can be executed), (2) no tty is set (output of
    >"tty"). Yet ssh tries to read the passwork from the commandline and does not
    >start the program specified by SSH_ASKPASS as it should (that are the
    >requirements given in the manpage). Also ssh < /dev/null as indicated in the
    >manpage does not make a difference.
    >
    >I checked the manpages and my configuration multiple times, tried Google ...
    >but it seems that this specicific problem has not occured to anyone yet ...
    >
    >I am a bit out of good advice now and any help would be highly approciated.
    >

    I've been looking at the same issue for a long while, and finally found the time
    to put my hands on it. Included you will find an script that a) does the job and
    b) explains how to test it.

    What you are seeing is that ssh detects that you have a TTY and writes to it
    directly. redirecting stdin from /dev/null won't mislead it and will only
    prevent you from entering the password.

    To test SSH scripts you better destroy the control TTY. The easies way is to
    use SSH itself: ssh -T (capital T) will run a command on the specified host
    with NO TTY no matter what. The trick is to run YOUR script on YOUR local
    host:
            ssh -T localhost my-test-script

    then it will be run with no TTY.

    Now for SSH_ASKPASS. You don't need that DISPLAY makes sense at all if you are
    not going to use it (i.e. the askpass script/command does not use X). You can
    then set it to anything.

    As for the password relaying command: this needs not be an X command. Anything
    will do as long as it spits out one line containing the password.

    And finally for a generic solution that allows running SSH with the password
    on the command line (NEVER USE THIS: the password will be on the clear for
    any 'ps' command by any user):

    - - ----------------------------- 8< cut here 8< -------------------------
    #!/bin/sh
    #
    # To test, run as
    # ssh -T localhost SSH.sh user@host password
    # this will run this script under NO TTY using ssh to invoke it.
    #

    # set environment, we only need DISPLAY to be valid for X apps.
    export DISPLAY=none:0.0
    export SSH_ASKPASS=./catp
    pipename=/tmp/ssh$$.$$

    # create auxiliary command:
    # we read one line from a temporary pipe.
    cat > ./catp << END
    #!/bin/sh
    # cat $pipename # also works
    head -1 $pipename
    END
    chmod 700 ./catp

    # let's go!
    # create the pipe
    mknod $pipename p
    # write the password on the pipe
    # NOTE: serious vulnerability: if this echo command
    # is not a shell built-in (e.g. /bin/echo) it might show
    # up on a well-timed 'ps' including the password. The time
    # window is -nevertheless- slow. Just look out or test it
    # step by step.
    echo $2 > $pipename & # for password on the command line

    ssh -x -t -t $1

    rm $pipename

    - - ---------------------------- 8< cut here 8< ------------------------

    And off you go. You may read the password from standard input instead
    (with no TTY) by using "read password" and then "echo $pasword" not
    "echo $2"...

    Many enhancements are possible, specially regarding the pipe creation
    (use umask, ensure higher randomness, make it on a read-only dir...),
    writing to it (e.g. do it with a separate command) reading from it
    (to prevent someone opening it before we do), etc.. E.g. the 'catp'
    script might receive as parameter a filename, or generate the pipe
    itself, communicate its name to the writer and hang reading on it...

    I know, this has several drawbacks, but it works, and illustrates well
    the basic approach as well as its capabilities.

                                    j 

    --
Jose R. Valverde
EMBnet/CNB
  • Next message: Richard E. Silverman: "Re: SFTP and SCP"

    Relevant Pages

    • Re: remote server backup script
      ... > Just type away at the command line. ... Make a backup of whatever you want ... > command line, in a script. ... >>the server ssh key on the clients machine). ...
      (comp.os.linux.misc)
    • Re: [PHP] SSH and php
      ... % % Is it possible to run a SSH command from php? ... it's possible to run any command from php. ... There are ways to do that -- I personally would create a kick script ...
      (php.general)
    • Re: debugging os.spawn*() calls
      ... >> spawned process, so I can't tell what's going wrong. ... > these days as I had a few problems using ssh with the os.* family ... remote command, and it does so if it can. ... I might rewrite os._spawnvef with a pipe. ...
      (comp.lang.python)
    • RE: Execute script on remote computer
      ... Execute script on remote computer ... you should just use the ssh command coupled with the name of the ...
      (comp.lang.python)
    • Using SSH to terminate remote systems for disaster recovery
      ... I have a need to terminate a number of AIX 5.1 systems ... from a single script. ... I can do this using ssh. ... if I issue the shutdown command from ssh, ...
      (AIX-L)