sshpass: Login To SSH Server / Provide SSH Password Using A Shell Script

by on September 12, 2008 · 27 comments· LAST UPDATED January 12, 2010

in , ,

How do I login over ssh without using password less RSA / DSA public keys? How do I use ssh in a shell script? How do I login non-interactivly performing password authentication with SSH and shell scripts?

You can use sshpass command to provide password for ssh based login. From the man page:

sshpass is a utility designed for running ssh using the mode referred to as "keyboard-interactive" password authentication, but in non-interactive mode.

ssh uses direct TTY access to make sure that the password is indeed issued by an interactive keyboard user. Sshpass runs ssh in a dedicated tty, fooling it into thinking it is getting the password from an interactive user.

The command to run is specified after sshpass' own options. Typically it will be "ssh" with arguments, but it can just as well be any other command. The password prompt used by ssh is, however, currently hardcoded into sshpass.

WARNING! These examples considered the least secure as simple ps command can expose password to all users on the same host. I highly recommend using ssh's public key authentication or keychain software to set up secure passwordless SSH access

Install sshpass under Debian / Ubuntu Linux

Type the following command:
$ sudo apt-get install sshpass

How do I use sshpass?

Login to ssh server called server.example.com with password called t@uyM59bQ:
$ sshpass -p 't@uyM59bQ' ssh username@server.example.com
Under shell script you may need to disable host key checking:
$ sshpass -p 't@uyM59bQ' ssh -o StrictHostKeyChecking=no username@server.example.com

How do I backup /var/www/html using rsync?

Run rsync over SSH using password authentication, passing the password on the command line:
$ rsync --rsh="sshpass -p myPassword ssh -l username" server.example.com:/var/www/html/ /backup/

Further readings:

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 27 comments… read them below or add one }

1 Robert de Bock September 12, 2008 at 11:54 am

I don’t agree to this trick, better use an ssh-agent and ssh-add. Check out this howto: http://meinit.nl/ssh-agent-trick
Regards, Robert de Bock.

Reply

2 Dave September 12, 2008 at 3:00 pm

Wow… this is scary. I would never recommend this method to anyone! If you want to ssh using command line with no password prompt, just create your ssh key without a password.

Not only would ps reveal the password for your ssh key, but also it is stored in your history on the filesystem!

Reply

3 Frans January 13, 2012 at 6:18 pm

For history, just store the password in a var..

read pass
sshpass -p “$pass” ssh root@wherever

history | grep sshpass
1028 sshpass -p “$pass” ssh root@localhost

for ps, modern linux blanks out the pasword.

0 S root 28468 27445 0 80 0 – 1554 poll_s 13:16 pts/3 00:00:00 sshpass -p zzzzzzzz ssh root@localhost

Reply

4 Miker September 12, 2008 at 4:30 pm

I’ve always done it using ssh-copy-id or the good ol manual way.

$ mkdir -p ~/.ssh If it doesn’t already exist
$ chmod 700 ~/.ssh
$ cd ~/.ssh
$ ssh-keygen -t rsa
$ cat ~/.ssh/id_rsa.pub | ssh ‘mkdir .ssh; chmod 700 .ssh; cat>>.ssh/authorized_keys’

Reply

5 Miker September 12, 2008 at 9:19 pm

Web input filter changed the last line of my comment.

$ cat ~/.ssh/id_rsa.pub | ssh hostname ‘mkdir .ssh; chmod 700 .ssh; cat>>.ssh/authorized_keys’

Reply

6 ram September 13, 2008 at 7:54 am

it is recommended for sererrs it may used in scripts,that is not comes under system history and you may given password for that script.

Reply

7 Raj September 13, 2008 at 8:47 am

I use this tool and it is safe. Here is my scenario

I’ve a central backup server and I’m the only person who logs in. Server is connected to internet and no services are running except ssh on vpn interface. I need to login to over 20 boxes collocated or leased in 5 data centers. With this tool I don’t have to upload ssh keys to those boxes. So if any one of the production box got hacked, my backup server remain intact.

Reply

8 KwangErn October 9, 2008 at 9:41 pm

Personally, I find keychain to be the best alternative. At least I know I’m save from any possible cracking!

http://www.gentoo.org/proj/en/keychain/

Reply

9 KwangErn October 9, 2008 at 9:43 pm

On an extra note, one can clear the keychain (keychain –clear) on every login using .bash_profile just in case. ;)

Reply

10 MPerera May 6, 2009 at 11:51 pm

This is what exactly I looking for.
All the servers I used ssh-copy-id. But recently one server replaced by 3rd party and they manage it and I do not have any write access login (no home directory). I run a script to rsync just two directories and last two weeks I had to do this manually since cron job filling.
My problem fixed by this solution.

Reply

11 Arete Vestige July 1, 2009 at 3:41 pm

Sometimes it is not possible to add the keys or advisable to do so. sshpass is an excellent solution for large deployments of secure systems that prevents the innate issues of unauthenticated access.

Reply

12 harperS February 21, 2014 at 3:05 pm

Agreed. Not always the “preferred” solution but sometimes when SSH keys aren’t an option, this solution will get you going.

Reply

13 t0kneneng December 6, 2010 at 2:31 am

I was wondering how to implement this on different port not default port 22…

Reply

14 Tyler December 7, 2010 at 11:03 pm

Just put :[portnumber] after the location
Ex: $ sshpass -p ‘t@uyM59bQ’ ssh username@server.example.com:2400

Reply

15 arepalli May 25, 2011 at 9:15 am

Nice post

Reply

16 dan October 28, 2011 at 4:27 pm

Is it really working on your distribution?

Only -p port is working on Opensuse.

ssh: Could not resolve hostname some.server.com:2222: Name or service not known

Reply

17 Rich August 8, 2011 at 3:41 pm

You can always write a bash script and secure the credentials in an include file:

# Include the Login credentials:
. /path/to/credentials

# rsync using vars defined in credentials, e.g.:
rsync -r -a -v -e “sshpass -p $SSH_PASSWORD ssh -l $SSH_LOGIN” –delete /path/to/local/dir $SSH_HOST:/path/to/remotedir/

Reply

18 dan October 28, 2011 at 4:20 pm

IT world is complex and there are situations where you simply can’t use rsa keys.

Ii’s stupid that ssh developers think just one way and not letting users chose what thay need to use.

I’m now adding second account to dd-wrt router and since rsa keys are global there for all users I have to use password in bash to create reverse ssh tunnel.
My second account has /bin/false shell.

And finally this sshpass is not working for me. Not sure why.

Reply

19 __B__ November 16, 2011 at 4:58 am

“It’s not recommended”, bla bla bla bla bla. Sometimes you need these solutions, even if they are risk.

Thanks for giving this option. I F*UCKING KNOW the best way is using ssh keys. But if you F*CKING CANT use them for some F*CKING REASON, this solution fits like a glove.

I tested with scp, and it works as well.

Reply

20 JD February 12, 2014 at 12:22 pm

Yes! I really wanted to scream this to all those “but it’s not secure!” people.

Sometimes you have good reasons not to worry about security but on the other hand you need automation and you just can’t use keys. SSH’es insistence on “securing” the ssh by preventing this drives me crazy.

*NIX used to be about giving people all the rope they need to hang themselves. Now you have all those ‘rm – are you sure? [yes/no]’. Just give me my damn rope please.

Reply

21 ashish badola November 16, 2011 at 1:30 pm

Sir my laptop is stolen

Reply

22 Pavan Linux December 19, 2011 at 5:25 am

Create Repos under: /etc/yum.repos.d as epel.repo with following contents:
vim /etc/yum.repos.d/epel.repo
File:

[epel]
name=Extra Packages for Enterprise Linux 5 - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/5/$basearch
mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
[epel-debuginfo]
name=Extra Packages for Enterprise Linux 5 - $basearch - Debug
#baseurl=http://download.fedoraproject.org/pub/epel/5/$basearch/debug
mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-debug-5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
[epel-source]
name=Extra Packages for Enterprise Linux 5 - $basearch - Source
#baseurl=http://download.fedoraproject.org/pub/epel/5/SRPMS
mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-source-5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1

Also create file /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL with following contents

vim /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
File:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.6 (GNU/Linux)
mQGiBEXopTIRBACZDBMOoFOakAjaxw1LXjeSvh/kmE35fU1rXfM7T0AV31NATCLF
l5CQiNDA4oWreDThg2Bf6+LIVTsGQb1V+XXuLak4Em5yTYwMTVB//4/nMxQEbpl/
QB2XwlJ7EQ0vW+kiPDz/7pHJz1p1jADzd9sQQicMtzysS4qT2i5A23j0VwCg1PB/
lpYqo0ZhWTrevxKMa1n34FcD/REavj0hSLQFTaKNLHRotRTF8V0BajjSaTkUT4uk
/RTaZ8Kr1mTosVtosqmdIAA2XHxi8ZLiVPPSezJjfElsSqOAxEKPL0djfpp2wrTm
l/1iVnX+PZH5DRKCbjdCMLDJhYap7YUhcPsMGSeUKrwmBCBJUPc6DhjFvyhA9IMl
1T0+A/9SKTv94ToP/JYoCTHTgnG5MoVNafisfe0wojP2mWU4gRk8X4dNGKMj6lic
vM6gne3hESyjcqZSmr7yELPPGhI9MNauJ6Ob8cTR2T12Fmv9w03DD3MnBstR6vhP
QcqZKhc5SJYYY7oVfxlSOfF4xfwcHQKoD5TOKwIAQ6T8jyFpKbQkRmVkb3JhIEVQ
RUwgPGVwZWxAZmVkb3JhcHJvamVjdC5vcmc+iGQEExECACQFAkXopTICGwMFCRLM
AwAGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQEZzANiF1IfabmQCgzvE60MnHSOBa
ZXXF7uU2Vzu8EOkAoKg9h+j0NuNom6WUYZyJQt4zc5seuQINBEXopTYQCADapnR/
blrJ8FhlgNPl0X9S3JE/kygPbNXIqne4XBVYisVp0uzNCRUxNZq30MpY027JCs2J
nL2fMpwvx33f0phU029vrIZKA3CmnnwVsjcWfMJOVPBmVN7m5bGU68F+PdRIcDsl
PMOWRLkTBZOGolLgIbM4719fqA8etewILrX6uPvRDwywV7/sPCFpRcfNNBUY+Zx3
5bf4fnkaCKxgXgQS3AT+hGYhlzIqQVTkGNveHTnt4SSzgAqR9sSwQwqvEfVtYNeS
w5rDguLG41HQm1Hojv59HNYjH6F/S1rClZi21bLgZbKpCFX76qPt8CTw+iQLBPPd
yoOGHfzyp7nsfhUrAAMFB/9/H9Gpk822ZpBexQW4y3LGFo9ZSnmu+ueOZPU3SqDA
DW1ovZdYzGuJTGGM9oMl6bL8eZrcUBBOFaWge5wZczIE3hx2exEOkDdvq+MUDVD1
axmN45q/7h1NYRp5GQL2ZsoV4g9U2gMdzHOFtZCER6PP9ErVlfJpgBUCdSL93V4H
Sgpkk7znmTOklbCM6l/G/A6q4sCRqfzHwVSTiruyTBiU9lfROsAl8fjIq2OzWJ2T
P9sadBe1llUYaow7txYSUxssW+89avct35gIyrBbof5M+CBXyAOUaSWmpM2eub24
0qbqiSr/Y6Om0t6vSzR8gRk7g+1H6IE0Tt1IJCvCAMimiE8EGBECAA8FAkXopTYC
GwwFCRLMAwAACgkQEZzANiF1IfZQYgCgiZHCv4xb+sTHCn/otc1Ovvi/OgMAnRXY
bbsLFWOfmzAnNIGvFRWy+YHi
=MMNL
-----END PGP PUBLIC KEY BLOCK-----

and then run
yum -y install sshpass

Reply

23 Ed February 9, 2012 at 10:03 pm

Thanks for this solution. Where I work they don’t have home directories installed on remote hosts so I can’t set up public keys. I would like a solution like ssh-agent where I typed in my password once (so it’s held in memory), and the agent supplied it when I ssh somewhere.

Reply

24 Richard Thomas May 29, 2012 at 3:48 pm

Seems like an improvement might be to store the password in a file in the local home-dir. The password could be encrypted in a variety of ways and the file 600 protected. The password for the encryption could be passed on the command line or set in an environment variable.

This would protect from ps, potentially allow repeated access without having to specify the password each time and allow for a few other things like requiring local encryption password rotation independent of the remote password.

Still not as good as the proper ways of doing things but better than straight password-on-the-commandline and potentially some benefits over interactive or outhorized_keys.

Reply

25 Richard Thomas May 29, 2012 at 3:51 pm

Note that sshpass does have -f (file) and -e (environment) options. These don’t do all that I mentioned but would be a good first step in guarding against ps revealing your password.

Reply

26 Den July 12, 2012 at 4:10 am

Thanks for this! I doesn’t work here. I get the message “debug1: Next authentication method: password” and after the process waits forever. Any suggestions?

Reply

27 Raj July 5, 2013 at 10:23 pm

Hi All

I am in progress of building a syslog and configuration management server. I would like to schedule an automatic backup of Cisco running configurations and that has to be stored as device name and each day a new folder has to be created as mm/dd/year.

By so, all backup’s that happened yesterday should be under 07/04/2013 directory and the one for today should be under 07/05/2013.

Need your assistance on this.

Thanks much…

Reply

Leave a Comment

Tagged as: , , , , , , ,

Previous Faq:

Next Faq: