Encrypt password in sshpass

Ankushkalra · 08-10-2017, 05:05 AM

Hi,

We have rhel 7.x in our environment. I have created some scripts using "sshpass" tool like daily health check script etc.

Sample script using sshpass

ssh_user=Userid
ssh_pass='PasswordinPlainText'

for i in `cat ip_c.txt`

do
{
echo "****************************************$i**************************************************";
sshpass -p $ssh_pass ssh -t $ssh_user@$i "sudo su -";
}
done

Issue is that all these script contains my password in plain text.

My Requirement is to provide encrypted password in these scripts instead of plain text.Is there a way???

Also if there isnt a way to encrypt password in script,kindly suggest some other way.

Please note: Passwordless SSH is not possible as it is against our security policy

Thanks

Turbocapitalist · 08-10-2017, 05:13 AM

One option is that you can use keys with strong passphrases and then load the keys into an agent for reuse later. That avoids the "passwordless" situation.

Ankushkalra · 08-10-2017, 05:21 AM

Quote:

Originally Posted by Turbocapitalist

One option is that you can use keys with strong passphrases and then load the keys into an agent for reuse later. That avoids the "passwordless" situation.

Thanks for the quick reply!!!!

I didn;t get you.Kindly elaborate.

Turbocapitalist · 08-10-2017, 05:33 AM

You would generate SSH keys using ssh-keygen, preferably ed25519, and the put the public key onto the remote machine inside the appropriate authorized_keys file. Then when that is proven to work, password authentication can be fully disabled for the SSH daemon. There are very many tutorials and guides on how to do key-based authentication.

Then once you have the keys working, use an agent on the client system. Your desktop might load one for you, in which case you just need to load the key using ssh-add before launching your script.

See:

Code:

man ssh
man ssh-add
man ssh-agent
man ssh-keygen

If you do not have an agent available for use, then you can use ssh-agent to launch your shell, load the key, then launch your script.

Code:

ssh-agent /bin/bash

If you use a strong passphrase with the private keys, then they are protected by AES-128 encryption. During the authentication they never leave the client and are used instead to deal with encrypted messages between the server and the client to verify identity.

(By the way, I would be very surprised if any security policy allows password-based authentication instead of keys.)

AwesomeMachine · 08-11-2017, 02:34 AM

If you establish the ssh session, the connection is encrypted, so nothing is passed as plaintext.