SFTP Batch without key
Ville Mattila
I'm looking for a solution to the problem of logging in and transferring
files automatically over SFTP. Well, the problem is that I should do the
transfer job as a cronjob, but the server where they files will be
transferred to, doesn't support auth keys (that would have done the case
easy).
I've been looking for a solution of reading the password from a
sepearated file (with proper modes of course) or other similar way, but
without results at the moment.
Any ideas?
Thanks,
Ville
Per Hedeland
You didn't say, but in case you're using OpenSSH on *nix (might work
with some others too), I can tell you about a pretty gross hack that I
just did. The OpenSSH ssh program (which is used by both scp and sftp to
make the actual connection) pretty much insists on having a tty to read
the password from - except in one case: If it thinks it's running in an
X session.
In that case, if it doesn't find a tty, it will fire up (e.g.)
ssh-askpass, which throws an X dialogue that you can type your password
into, and then simply prints it on stdout, where ssh reads it. The nice
thing is that you can specify the actual program via the SSH_ASKPASS
environment variable.
I.e. in your case, you could simply have a script that gets the password
from wherever and prints it on stdout, specify that via SSH_ASKPASS, set
environment DISPLAY (to anything at all) to make the illusion complete,
and you're done. The security implications of a script/program that
prints a password on stdout when run should be obvious, but if you're
prepared to have the password in cleartext in a file there isn't much
actual loss in security by having something print it.
(My hack wasn't that bad from a security point of view - to retrieve the
password, my askpass program actually connects to a TCP port where it is
provided by the program that fired up sftp/scp in the first place. That
program normally gets the password from an actual user, but for certain
reasons it is impractical for it to have the ssh program interact
directly with the user via a tty.)
Besides that, the source is available, and it's pretty easy to modify it
to not have the tty requirement but just read the password from stdin.
That may not work with sftp/scp though, since they probably grab ssh's
stdin for their own purposes.
--Per Hedeland
p...@hedeland.org
Ville Mattila
> I.e. in your case, you could simply have a script that gets the password
> from wherever and prints it on stdout, specify that via SSH_ASKPASS, set
> environment DISPLAY (to anything at all) to make the illusion complete,
> and you're done. The security implications of a script/program that
> prints a password on stdout when run should be obvious, but if you're
> prepared to have the password in cleartext in a file there isn't much
> actual loss in security by having something print it.
Hi there!
I tried this trick, thanks for a good tip. For some reason, I couldn't
get it work at all. Even I set a SSH_ASKPASS to point a script that just
echos the password, and set DISPLAY to be some foo, the sftp still asks
for the password.
Would there be some extra settings that should be set?
Thanks for help!
- Ville
Per Hedeland
No, but you can't test with a simple interactive invocation of sftp
(directly or via a script) - from the ssh man page:
If ssh needs a passphrase, it will read the passphrase from the
current terminal if it was run from a terminal. If ssh does not
^^^^^^^^^^^^^^^
have a terminal associated with it but DISPLAY and SSH_ASKPASS
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
are set, it will execute the program specified by SSH_ASKPASS and
open an X11 window to read the passphrase.
(Actually the description isn't quite correct - it is "the program
specified by SSH_ASKPASS" that opens the X11 window (if any), not ssh.)
The original question was about a cronjob, which fulfills the
requirement of not having a terminal. If you have 'setsid' as a command
on your OS, you can try interactively with something like
$ setsid sftp -b batchfile remotehost
- worked for me on RedHat 7.3 with SSH_ASKPASS set to a script that
simply echoed the password.
--Per Hedeland
p...@hedeland.org
Richard E. Silverman
PH> If you have 'setsid' as a command on your OS, you can try
PH> interactively with something like
PH> $ setsid sftp -b batchfile remotehost
Or if not, then perhaps:
perl -MPOSIX -e 'exit if fork(); setsid(); system("@ARGV")' ssh ...
--
Richard Silverman
r...@qoxp.net
Michael Selvesteen
You can also try expect scripts to automate your ssh logins. It is
more secure and quite easy....
for more inforamtion try following link
http://www.cpqlinux.com/expect.html
--
M
Michael Selvesteen
Michael Selvesteen
Richard E. Silverman
MS> Hi, You can also try expect scripts to automate your ssh
MS> logins. It is more secure and quite easy.... for more inforamtion
MS> try following link
In what way do you think scripting password-based login is "more secure?"
--
Richard Silverman
r...@qoxp.net
Per Hedeland
selve...@hotmail.com (Michael Selvesteen) writes:
>
>You can also try expect scripts to automate your ssh logins. It is
>more secure and quite easy....
I could agree that it's "cleaner" since it doesn't rely on "abusing" the
SSH_ASKPASS thing - but why do you think it is more secure?
--Per Hedeland
p...@hedeland.org
Per Hedeland
<r...@qoxp.net> writes:
>>>>>> "PH" == Per Hedeland <p...@hedeland.org> writes:
>
> PH> If you have 'setsid' as a command on your OS, you can try
> PH> interactively with something like
>
> PH> $ setsid sftp -b batchfile remotehost
>
>Or if not, then perhaps:
>
>perl -MPOSIX -e 'exit if fork(); setsid(); system("@ARGV")' ssh ...
Thanks, nice tip! (There are other uses for this "take away the
terminal" thing, e.g. in the past I've used it for forcing dump(8) to
abort on error instead of hanging the system in single-user with a query
on the console...)
(Actually, when I saw a followup from you in the thread list I expected
it to be a bashing for the gross SSH_ASKPASS hack suggestion...:-)
--Per Hedeland
p...@hedeland.org