Automating SSH Password Login: Secure Methods for Scripting Access


142 views

When automating SSH logins, the main obstacle is SSH's intentional design to prevent password passing through command line or stdin. This security measure prevents passwords from appearing in process listings or shell history. However, for test environments or automation scripts, we need practical workarounds.

The most straightforward method is using sshpass, a dedicated tool designed specifically for this purpose:

# Install sshpass on Debian/Ubuntu
sudo apt-get install sshpass

# Basic usage
sshpass -p 'your_password' ssh username@hostname

While convenient, note that sshpass may show the password in process listings. For better security in production, consider key-based authentication instead.

For systems where you can't install sshpass, expect scripts provide a flexible alternative:

#!/usr/bin/expect -f
set timeout 20
set username "your_username"
set host "your_host"
set password "your_password"

spawn ssh $username@$host
expect "*?assword:*"
send "$password\r"
interact

Save this as auto_ssh.exp and make it executable with chmod +x auto_ssh.exp.

While the question specifically asks about password authentication, for most automation scenarios, SSH keys are superior:

# Generate key pair (if you don't have one)
ssh-keygen -t rsa -b 4096

# Copy public key to remote server
ssh-copy-id username@hostname

After setup, you can SSH without passwords while maintaining better security.

For complex automation, combine tools with SSH configuration:

# ~/.ssh/config entry
Host testvm
    HostName your.server.ip
    User yourusername
    IdentityFile ~/.ssh/testvm_key
    # Other parameters...

# Script using sshpass as fallback
if ! ssh -o BatchMode=yes testvm true; then
    sshpass -p 'fallback_password' ssh testvm
fi

Remember these methods expose passwords in scripts or process memory. For test environments this may be acceptable, but never use these approaches for production systems handling sensitive data. Always prefer:

  • SSH key authentication
  • Configuration management tools (Ansible, Puppet, etc.)
  • Jump hosts with restricted access

Many developers first attempt to automate SSH login by piping the password like this:

echo "mypassword" | ssh user@hostname

This fails because SSH is designed to read passwords directly from the terminal (TTY) for security reasons, not from stdin. The SSH client explicitly prevents this simple approach to discourage insecure practices.

The easiest solution is sshpass, a dedicated tool designed for this exact purpose:

# Install sshpass on Debian/Ubuntu
sudo apt-get install sshpass

# Basic usage
sshpass -p 'your_password' ssh user@hostname

# With a command execution
sshpass -p 'your_password' ssh user@hostname "ls -l /tmp"

While convenient for testing environments, note that:

  • Passwords appear in command history
  • Visible in process listings (ps aux)
  • Not recommended for production use

For better security while maintaining automation:

# Generate key pair (if you haven't already)
ssh-keygen -t ed25519

# Copy public key to server
ssh-copy-id user@hostname

# Now you can login without password prompt
ssh user@hostname

When you need more control over the SSH session:

#!/usr/bin/expect -f
set timeout 20
set host "hostname"
set user "username"
set password "password"

spawn ssh "$user@$host"
expect "password:"
send "$password\r";
interact

Save as autossh.exp and make executable with chmod +x autossh.exp.

While these methods work for test environments:

  • Never hardcode passwords in scripts committed to version control
  • Consider using environment variables for sensitive data
  • For production systems, always prefer SSH keys with passphrases
  • Use configuration management tools (Ansible, Puppet) for better security