can batch (-b) sftp be done using a password and not just a private key
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I would not know why your client would prefer going back to passwords but your correct that sftp batch mode requires using keys but that is not the only way.
You could use lftp and create a script file. One way the username/password is on the command line so it will be visible to anyone that can look at running processes. You could use an expect file but the password would be embedded in the script.
You can still use sftp via expect but your batch file would be written in the script file itself. If you are unfamiliar with tcl programming that could be a small learning curve.
Thanks for the tips. I don't know why this client is pushing passwords either. I think there are some new people there that don't really know about batch-mode anything and only think people pick up their files manually via a browser. The lftp command does appear to accept a PW on the command line: 'lftp -u user,pass ...'. I could "hide" the PW in a C program and do: 'lftp -u user,`mypw`, and make mypw only executable by the batch user. Not perfect.
I've given a long this of reason to NOT abandom private keys to the client. They have kicked it up a level and will get back to me. I'll post results here, but thanks for answering my original question about sftp.
Batch mode reads a series of commands from an input batchfile in‐stead of stdin. Since it lacks user interaction it should be used in conjunction with non-interactive authentication to obviate the need to enter a password at connection time (see sshd(8) and ssh-keygen(1) for details). [...]
So regressing to using a password would be incompatible with batch mode.
What is their alleged reason for wanting to regress? Keys are considered a well-established best practice for SSH / SFTP. If it is a matter of using authentication tokens, most can be set up to work with keys, at least the newer models can do that.
Distribution: openSUSE, Raspbian, Slackware. Previous: MacOS, Red Hat, Coherent, Consensys SVR4.2, Tru64, Solaris
Posts: 2,814
Rep:
Quote:
Originally Posted by Turbocapitalist
As per the manual page for sftp:
So regressing to using a password would be incompatible with batch mode.
We cobbled together a batch mode FTP process many years ago as we had to work with third-parties that either didn't know know about sftp or were too lazy to set it up. It involved use of an Expect wrapper script and what we called a manifest file to drive the file transfer process ... and .netrc. It ran in the division's big iron batch scheduler just fine.
Quote:
Keys are considered a well-established best practice for SSH / SFTP.
I hate to say it but in my experience it is the Wintel admins that have the most trouble with file transfers. The vast, vast majority of those third-parties who were having us use ftp were having us send file to/from one of their Wintel servers. That was always something that puzzled me as they (the local Wintel guys, at least) were maniacs about key management for other areas of the environment.
Well, the admins involved said they would check into it but have not gotten back to me. I think they must have realized they knew not what they were talking about. Since their "deadline" for making this change has passed, I'm going to assume that I don't have to do anything stupid. I'll close this issue. If I hear from them again, I'll be back! Thanks for all the useful feedback.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.