can batch (-b) sftp be done using a password and not just a private key

mfoley · 04-22-2020, 02:13 PM

Per the subject, can batch (-b) sftp be done using a password and not just a private key?

I have a file-exchange client that wants to switch us from sftp using a private key to using a password. As I understand it, this is not possible.

True, false?

michaelk · 04-22-2020, 03:16 PM

I would not know why your client would prefer going back to passwords but your correct that sftp batch mode requires using keys but that is not the only way.

You could use lftp and create a script file. One way the username/password is on the command line so it will be visible to anyone that can look at running processes. You could use an expect file but the password would be embedded in the script.

You can still use sftp via expect but your batch file would be written in the script file itself. If you are unfamiliar with tcl programming that could be a small learning curve.

mfoley · 04-24-2020, 05:12 AM

Thanks for the tips. I don't know why this client is pushing passwords either. I think there are some new people there that don't really know about batch-mode anything and only think people pick up their files manually via a browser. The lftp command does appear to accept a PW on the command line: 'lftp -u user,pass ...'. I could "hide" the PW in a C program and do: 'lftp -u user,`mypw`, and make mypw only executable by the batch user. Not perfect.

I've given a long this of reason to NOT abandom private keys to the client. They have kicked it up a level and will get back to me. I'll post results here, but thanks for answering my original question about sftp.

Turbocapitalist · 04-24-2020, 05:51 AM

As per the manual page for sftp:

Quote:

-b batchfile

Batch mode reads a series of commands from an input batchfile in‐stead of stdin. Since it lacks user interaction it should be used in conjunction with non-interactive authentication to obviate the need to enter a password at connection time (see sshd(8) and ssh-keygen(1) for details). [...]

So regressing to using a password would be incompatible with batch mode.

What is their alleged reason for wanting to regress? Keys are considered a well-established best practice for SSH / SFTP. If it is a matter of using authentication tokens, most can be set up to work with keys, at least the newer models can do that.

rnturn · 04-24-2020, 11:30 AM

Quote:

Originally Posted by Turbocapitalist

As per the manual page for sftp:
So regressing to using a password would be incompatible with batch mode.

We cobbled together a batch mode FTP process many years ago as we had to work with third-parties that either didn't know know about sftp or were too lazy to set it up. It involved use of an Expect wrapper script and what we called a manifest file to drive the file transfer process ... and .netrc. It ran in the division's big iron batch scheduler just fine.

Quote:

Keys are considered a well-established best practice for SSH / SFTP.

I hate to say it but in my experience it is the Wintel admins that have the most trouble with file transfers. The vast, vast majority of those third-parties who were having us use ftp were having us send file to/from one of their Wintel servers. That was always something that puzzled me as they (the local Wintel guys, at least) were maniacs about key management for other areas of the environment.

mfoley · 05-27-2020, 01:42 PM

Well, the admins involved said they would check into it but have not gotten back to me. I think they must have realized they knew not what they were talking about. Since their "deadline" for making this change has passed, I'm going to assume that I don't have to do anything stupid. I'll close this issue. If I hear from them again, I'll be back! Thanks for all the useful feedback.