为什么 sshpass 仍然提示输入密码?

tag-icon tag-icon ssh password
为什么 sshpass 仍然提示输入密码?

上下文 :

  • Debian Stretch 工作站尝试通过 SSH 连接到众多 GNU/Linux 服务器(主要是 RH 和 Debian)
  • 我无法更改远程服务器的 SSH 配置
  • 我知道这远非理想,但我必须使用登录名 + 密码登录。没有 SSH 密钥,只有普通的登录名/密码。我无法更改这一点(无需建议使用密钥 + 密码)
  • sshpass -V:“sshpass 1.06”

这个答案使用“ssphass”给出了一个有趣的提示。

我在'〜/ .ssh / config'中设置的内容:

Host myServer
    HostName 12.34.56.78
    User bob
    ProxyCommand sshpass -v -pmyPassword ssh %r@%h -W localhost:%p

注意:'-v' sshpass 选项仅在询问此问题时用于获取详细信息

当我尝试通过 SSH 连接时:

me@myWorkstation$ ssh myServer
SSHPASS searching for password prompt using match "assword"
SSHPASS read: [email protected]'s password:
SSHPASS detected prompt. Sending password.
SSHPASS read:

[email protected]'s password:

它会一直这样等待下去 :-(

如果我编辑'~/.ssh/config'并替换'myPassword'(这是附加到此 SSH 登录的真实密码,手动登录时有效):

Host myServer
    HostName 12.34.56.78
    User bob
    ProxyCommand sshpass -v -pnotMyPasswordAnymoreOhNo ssh %r@%h -W localhost:%p

这使 :

me@myWorkstation$ ssh myServer
SSHPASS searching for password prompt using match "assword"
SSHPASS read: [email protected]'s password:
SSHPASS detected prompt. Sending password.
SSHPASS read:

Permission denied, please try again.
SSHPASS read: [email protected]'s password:
SSHPASS detected prompt, again. Wrong password. Terminating.
ssh_exchange_identification: Connection closed by remote host

我确实收到了回复(尽管是负面的)。你能解释一下原因吗?

答案1

man sshpass 说:

安全注意事项

  First and foremost, users of sshpass should realize that ssh's insistance on only  getting  the  password  interac‐
   tively is not without reason. It is close to impossible to securely store the password, and users of sshpass should
   consider whether ssh's public key authentication provides the same end-user experience, while involving less hassle
   and being more secure.

  The  -p  option  should  be  considered the least secure of all of sshpass's options.  All system users can see the
   password in the command line with a simple "ps" command. Sshpass makes a minimal attempt to hide the password,  but
   such  attempts  are  doomed  to  create  race conditions without actually solving the problem. Users of sshpass are
   encouraged to use one of the other password passing techniques, which are all more secure.

  In particular, people writing programs that are meant to communicate the password programatically are encouraged to
   use an anonymous pipe and pass the pipe's reading end to sshpass using the -d option.

您可以尝试保存 ENV 变量并将传递存储在那里,但这是不好的做法。

答案2

如果有人想强制ssh询问一次密码,即提供密码的时间,sshpass如果密码错误则失败,那么这样的方法很有效

sshpass -e ssh [email protected] -o NumberOfPasswordPrompts=1 whoami

解释:

  • sshpass使用选项$SSHPASS时从环境变量中获取密码-e
  • ssh使用提供的密码sshpass,如果成功则whoami在远程服务器上运行命令
  • 如果密码错误,则不会提示输入密码,因为-o NumberOfPasswordPrompts=1强制ssh仅提示一次,并且那 1 次已经被提供的错误密码使用sshpass,因此焦点返回到终端

相关内容