I am well aware of the -q option of ssh to perform the quiet mode as the man page says
-q Quiet mode. Causes most warning and diagnostic messages to be suppressed.
Somehow can I achieve something like this with ssh-copy-id? I want to ignore the input_userauth_banner
No. ssh-copy-id requires LogLevel=INFO to get some information from the ssh process. But that does not need to be passed to the user. You should be able to run ssh-copy-id silently using
ssh-copy-id -o LogLevel=QUIET server
Related
I want a script to upload daily files using sftp. Unfortunately, the remote server doesn't support ssh keys (it's my customer's server and for some reason they can't or won't change it despite countless recommendations). So I need to somehow log in automatically using password authentication.
I found many different solutions (here on SO and elsewhere) but they all seem to use tools like sshpass, spawn, expect, send etc. Unfortunately my script is to be used on macOS and these tools aren't available there.
I fully realize it is NOT secure to use plaintext passwords in a script or on the command line. But using ssh keys is simply not an option at this stage.
So, is it possible to run sftp from the shell and specify the password either on the command line in plaintext, or specify some argument with a filename that contains the password?
Addition: after #MartinPrikryl's comment I got sshpass to work, by using brew install esolitos/ipa/sshpass.
However now I found out this doesn't work properly when I use the -b batch.txt parameter for sftp to process a bunch of commands. The batches I'm processing are typically a bunch of get and put commands.
So this works:
sshpass -f MyPassword.txt sftp rocketnuts#example.com
(I am logged in and getting the sftp prompt)
But this does not:
sshpass -f MyPassword.txt sftp -b list.txt rocketnuts#example.com
I'm getting this error:
rocketnuts#example.com: Permission denied (password).
So apparently the way sshpass sends the password to sftp somehow interferes with the batch input from the -b parameter.
Is there a way to make sshpass (or another form of scriptable authentication) work in combination with the -b option??
First, you can install sshpass even on MacOS:
How to install sshpass on Mac?
Though indeed, with -b switch, the sftp probably cannot accept a password, as the -b disables all interactive input (what sshpass simulates).
As an alternative to -b, you can use an input redirection:
sshpass -f MyPassword.txt sftp rocketnuts#example.com < list.txt
When trying to run the command ssh user#ip 'command', I keep receiving this error: can't get tty settingscan't set orig mode. I have tried googling this and searching here but have not found anything referring to this message. I am trying to automate connecting to a Cisco wireless access point (2800 model) using Golang to run a command then exit, but this message pops up each time. I can log in normally using ssh user#ap_ip, but using the shorthand ssh user#ap_ip 'command' or trying the equivalent in Golang gives the error message above. Anyone know what's going on?
ssh without explicit command given will allocate a terminal while ssh with a command given will by default not. It looks like the command you execute needs a terminal. In this case use the -t option, i.e. ssh -t user#ip command. From the documentation:
-t Force pseudo-terminal allocation. This can be used to execute
arbitrary screen-based programs on a remote machine, which can be
very useful, e.g. when implementing menu services. Multiple -t
options force tty allocation, even if ssh has no local tty.
I have an AIX 6.1 server where I want to uninstall a rpm.
This uninstallation can be done directly on the server :
[user#server]$ sudo /usr/bin/rpm -e --allmatches _MyRPM-1.0.0
This uninstallation is working.
I have a script lauching this unstallation :
Uninstall.sh
#!/usr/bin/bash
set -x
sudo /usr/bin/rpm -e --allmatches _MyRPM-1.0.0
I can play this script on the server without any problem :
[user#server]$ cd /where/is/the/script;./Uninstall.sh
+ sudo /usr/bin/rpm -e --allmatches _MyRPM-1.0.0
_MyRPM-1.0.0 has been uninstalled successfully
But when I'm playing this script remotely the rpm hang :
[user#client]$ ssh user#server "cd /where/is/the/script;./Uninstall.sh"
+ sudo /usr/bin/rpm -e --allmatches _MyRPM-1.0.0
And this command hang, I need to kill it in order to end the ssh.
PS : I have exactly the same comportment for installation or uninstallation.
EDIT :
The problem seems coming from the sudo. The hang problem appears also when I'm doing anithing with a sudo.
For example with a new script :
test.sh
#!/usr/bin/bash
set -x
sudo env
Sudo normally requires a user authenticate as themselves, and if I recall it can act different via remote execution due to the way the terminal is handled.
I don't have a system to test this on at the moment, but but you could try ssh's -t or -T switches:
-T Disable pseudo-tty allocation.
-t Force pseudo-tty allocation. This can be used to execute arbitrary screen-based programs on a remote machine, which can be very useful, e.g. when implementing menu services.
Multiple -t options force tty allocation, even if ssh has no local tty.
I suspect you could get this to work by adding the script you're remotely executing into /etc/sudoers:
{user} ALL=NOPASSWD:/where/is/the/script/Uninstall.sh
Then try:
"ssh -t user#server /where/is/the/script/Uninstall.sh"
EDIT:
Found some details to help explain why sudo is behaving differently when executed remotely:
http://www.sudo.ws/sudoers.man.html
The sudoers security policy requires that
most users authenticate themselves before they can use sudo. A
password is not required if the invoking user is root, if the target
user is the same as the invoking user, or if the policy has disabled
authentication for the user or command.
Perhaps it's hanging because it's trying to authenticate, whereas locally it wouldn't need to do so.
Regardless of security issues, I want to automate ssh login by putting password into a script file (in form of plaintext). For example, I tried following, but without success...
echo "mypassword" | ssh -X root#remote_node_address
it still prompt with password inputs...
Edit: I am aware of setting up passphraseless ssh (and actually have done this). What my question really is is how to automate process of setting up passphraseless ssh...
Automate with Expect
You can use Expect to drive password authentication with SSH. For example:
#!/usr/bin/expect -f
set timeout -1
spawn ssh -o PubkeyAuthentication=no host.example.com
expect -exact "Password: "
send -- "secret\r"
expect {\$\s*} { interact }
This script is a very basic example, and not especially robust in the face of failure or when running under a non-standard remote TERM like GNU screen, but it works for the common case. You can also use /usr/bin/autoexpect from the expect-dev package to generate your own custom scripts based on a manual session.
you will need to use public key authentication, see
http://www.ece.uci.edu/~chou/ssh-key.html
in order to add new keys for existing hosts, you will need to automate updating of public keys in ~/.ssh/authorized_keys on remote machine
it is easy to do with
ssh-keygen -t rsa -b 1024 -f ~/.ssh/new-key -P ""
cat ~/.ssh/new-key.pub | ssh root#target-host 'cat >> ~/.ssh/authorized_keys'
then you can use new key to access host with
ssh -i ~/.ssh/new-key root#remote-host
I run into empty recently. I am surprised that it seems not to be well known since it is rarely talked about when problems like "how to automate ssh" arise.
I use it on openwrt, it has a package about 7KB in size without dependency, while tcl package is around 440KB. And you can use it in shell directly.
"empty is an utility that provides an interface to execute and/or interact with processes under pseudo-terminal sessions (PTYs). This tool is definitely useful in programming of shell scripts designed to communicate with interactive programs like telnet, ssh, ftp, etc. In some cases empty can be the simplest replacement for TCL/expect or other similar programming tools "
For example:
#!/bin/sh
empty -f -i in -o out telnet foo.bar.com
empty -w -i out -o in "ogin:" "luser\n"
empty -w -i out -o in "assword:" "TopSecret\n"
empty -s -o in "who am i\n"
empty -s -o in "exit\n"
I want to install a software library (SWIG) on a list of computers (Jenkins nodes). I'm using the following script to automate this somewhat:
NODES="10.8.255.70 10.8.255.85 10.8.255.88 10.8.255.86 10.8.255.65 10.8.255.64 10.8.255.97 10.8.255.69"
for node in $NODES; do
scp InstallSWIG.sh root#$node:/root/InstallSWIG.sh
ssh root#$node sh InstallSWIG.sh
done
This way it's automated, except for the password request that occur for both the scp and ssh commands.
Is there a way to enter the passwords programmatically?
Security is not an issue. I’m looking for solutions that don’t involve SSH keys.
Here’s an expect example that sshs in to Stripe’s Capture The Flag server and enters the password automatically.
expect <<< 'spawn ssh level01#ctf.stri.pe; expect "password:"; send "e9gx26YEb2\r";'
With SSH the right way to do it is to use keys instead.
# ssh-keygen
and then copy the *~/.ssh/id_rsa.pub* file to the remote machine (root#$node) into the remote user's .ssh/authorized_keys file.
You can perform the task using empty, a small utility from sourceforge. It's similar to expect but probably more convenient in this case. Once you have installed it, your first scp will be accomplished by following two commands:
./empty -f scp InstallSWIG.sh root#$node:/root/InstallSWIG.sh
echo YOUR_SECRET_PASSWORD | ./empty -s -c
The first one starts your command in the background, tricking it into thinking it's running in interactive mode on a terminal. The other one sends it data from stdin. Of course, putting your password anywhere on command line is risky due to shell history being preserved, users being able to see it in ps results etc. Not secure either, but a bit better thing would be to store the password in a file and redirect the second command's input from that file instead of using echo and a pipe.
After copying to the server, you can run the script in a similar manner:
./empty -f ssh root#$node sh InstallSWIG.sh
echo YOUR_SECRET_PASSWORD | ./empty -s -c
You could look into setting up passwordless ssh keys for that. Establishing Batch Mode Connections between OpenSSH and SSH2 is a starting point, you'll find lots of information on this topic on the web.
Wes' answer is the correct one but if you're keen on something dirty and slow, you can use expect to automate this.