Hey all, While I generally prefer keypair authentication, I am sometimes stuck with the need to access a variety of hosts which only permit password authentication. At the moment, I copy-paste my password from `pass`. I wondered if it could be doable to add a new option to ssh_config, analogous to the various XYZCommand options available for sshd_config? (Hopefully I'm not overlooking something: I'm on 8.6p1 here, and I don't see anything in `man ssh` or `man ssh_config` which matches what I am looking for.) For my ~/.ssh/config, I'm imagining a stanza like so: Host A.B.C.D PasswordCommand pass show A.B.C.D So long as I have gpg-agent running, I would then be able to log into these hosts in a fairly seamless way. It would also help with keeping track of which password is relevant to which hosts. Thanks for any replies.
On 22.06.21 05:20, asymptosis wrote:> While I generally prefer keypair authentication, I am sometimes stuck > with the need to access a variety of hosts which only permit password > authentication. At the moment, I copy-paste my password from `pass`. > > I wondered if it could be doable to add a new option to ssh_config, > analogous to the various XYZCommand options available for sshd_config?Further weakening the "CAPTCHAness" of password-based logins is a somewhat *unpopular* topic with the OpenSSH project. :-} Hence sshpass being maintained *outside* it ... https://www.redhat.com/sysadmin/ssh-automation-sshpass (Or, if you're really *mass* deploying *identical* commands, there are clusterssh et.al.: https://github.com/duncs/clusterssh https://unix.stackexchange.com/questions/19008/automatically-run-commands-over-ssh-on-many-servers ) Reards, -- Jochen Bern Systemingenieur Binect GmbH -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3449 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210623/170ee248/attachment.p7s>
On Tue, 22 Jun 2021, asymptosis wrote:> Hey all, > > While I generally prefer keypair authentication, I am sometimes stuck with the > need to access a variety of hosts which only permit password authentication. > At the moment, I copy-paste my password from `pass`. > > I wondered if it could be doable to add a new option to ssh_config, analogous > to the various XYZCommand options available for sshd_config? > > (Hopefully I'm not overlooking something: I'm on 8.6p1 here, and I don't see > anything in `man ssh` or `man ssh_config` which matches what I am looking > for.) > > For my ~/.ssh/config, I'm imagining a stanza like so: > > Host A.B.C.D > PasswordCommand pass show A.B.C.D > > So long as I have gpg-agent running, I would then be able to log into these > hosts in a fairly seamless way. It would also help with keeping track of which > password is relevant to which hosts.btw, it's probably possible to abuse SSH_ASKPASS_PROMPT=require to do this. -d