I am connecting from a UNIX server to a third party server (EFT on client side).
EFT supports only dual authentication.
So client has provided us the userid and password and we have shared the public key to them.
My shell script has to push and pull the files from third party.
I don't have expect, lftp, curl, sshpass in my server, cannot install then either.
How do I pass the password for the sftp command in the shell script to connect to remote server?
Now I am keying the password manually for the file transfer to happen, which is working.
But need to automate this.
Please advise.
If you really need a password authentication (in addition to the public key authentication), you cannot use vanilla OpenSSH ssh. It is purposefully built in a way not to allow automating password authentication.
Either you need to hack the password input for ssh using tools like expect and sshpass:
Automatically enter SSH password with script
How to run the sftp command with a password from Bash script?
(it seems that you know this);
Or use another SFTP client (it seems that you have none and you cannot install any);
That basically leaves you with implementing something. Either you will have to implement expect/sshpass equivalent. Or use your favourite programing language that is available on your server to implement the SFTP: Python/Perl/Ruby/PHP/C/C++. There are SFTP libraries for all of them.
Related
I frequently have to connect to vpn for work. So rather than typing the whole cmd, i want to type something like vpn in terminal and it picks up the password from somewhere and the vpn gets connected.
The process I do now is..
sudo openvpn --config <configfile.ovpn>
I'll be prompted to type the password and when i do that it gets connected.
For the same I explored alias but I suppose alias is for much simpler task. Any solutions, how to pass password automatically when terminal ask for it?
You can create an alias and use it .
In your .bashrc, you can create an alias
alias vpn=« Your command »
Then you will just type the command vpn.
Here a link that can help you
When the password is asked interactively the best options is add the --askpass argument and send the password through a file.
openvpn --config <configfile.ovpn> --askpass <file with cred>
You can also add automatically the password using expect or similar, but the best option is using the own openvpn.
--askpass [file]
Get certificate password from console or file before we daemonize.
For the extremely security conscious, it is possible to protect your private key with a password. Of course this means that every time the OpenVPN daemon is started you must be there to
type the password. The --askpass option allows you to start OpenVPN from the command line. It will query you for a password before it daemonizes. To protect a private key with a password
you should omit the -nodes option when you use the openssl command line tool to manage certificates and private keys.
If file is specified, read the password from the first line of file. Keep in mind that storing your password in a file to a certain extent invalidates the extra security provided by using
an encrypted key.
You can put the password into a file and point your OpenVPN client configuration to it.
It is obviously a bad idea for security to store passwords in plain text on your hard drive!
If you still want to do it, put your user name and password in a plain text file on two lines, like so:
username
password
Add a line
auth-user-pass passwordfile
to your OpenVPN client configuration where passwordfile is the name of the file.
Note this only works in OpenVPN 2 and is no longer supported in version 3. See this blog post about it: https://openvpn.net/blog/openvpn-3-linux-and-auth-user-pass/
I have a shell script that starts a For loop, reads from a text file with hostnames, and uses SCP to transfer files to each host. It's been very useful but what is the best way to deal with the password prompt? The only authentication I was given to the servers were a username and password.
As of now, I've had to input my password for each server. It's been duoable since the server count is low but I'd like to have a better solution in the future. Any help/suggestions would be great.
Thanks!
Most servers also support publickey authentication. Generate a keypair on your local host, then copy the ~/.ssh/id_rsa_pub to remote host's ~/.ssh/authorized_keys (or append to it if it already exists). Deal with the keyphrase locking your secret key by using ssh-agent.
For this kind of interactive action you can use Expect scripts. You can easily define a remote call where you expect for a especific string (f.e "username:") and then send the known password.
I am using FileZilla to log in to an SFTP host with my credentials. However, I need to use an equivalent of sudo su - user (as used in linux) to change the user. There are no passwords set for this general user, and hence direct login is not allowed.
What FTP command can I use with the "Enter custom command.." option in FileZilla to switch users after connecting?
(This is required so I can transfer files as a different user and not my login.)
SFTP protocol doesn't support changing user in the middle of transfer session (so no case to login and then change user with some custom command). But you can launch sftp server under needed user using sudo, by changing SFTP client configuration. Don't know whether this trick is supported by FileZilla, but it's supported by PuTTY or WinSCP. There in the sftp server settings you can specify something like "sudo /bin/sftp-server" in order to launch transfer session under different user.
For example, instruction how to do this with WinSCP:
https://winscp.net/eng/docs/faq_su#sudo
In a shell script file I am using some commands like scp and make install which ask for my password.
I run a shell script to compile a big project, and after some time it asks for my password for using scp. I need to wait for that process and give the password after that.
I just want to do it all by shell script without interaction, so how can I avoid being prompted for the password here?
Short answer: DON'T
Use public key authentication for SCP and sudo with NOPASSWD directive for make install
If you can't use ssh trust and must enter the password later on in your script, use read -s -p "Password:" USER_PASSWORD to silently read in the password. You can then export USER_PASSWORD to an expect script, avoiding it being displayed in ps:
#!/usr/bin/expect -f
spawn scp some.file USER#otherhost:~
expect "assword:"
send -- "$env(USER_PASSWORD)\r"
expect eof
I think it's a better idea to generate an authentication key, and use this key based authentication instead of writing plain text passwords into your scripts.
No, you won't find any method to use SSH config files or a command line option to have a password hard coded and I'm sure this is by design.
If you environment makes this difficult, perhaps it would be helpful to know that the script can specify an identity file using the -i argument so you don't have to have a whole home directory setup or anything like that. There are other options that help use the key authentication that ssh really encourages over password authentication.
If you are using this across several users who you don't want to be bothered to create keys and copy them to the server, you could script that also. It wouldn't be hard to check for an existing key and do a quick test to see if you can make a connection with it. If you can't without a password, then you'd ssh-copy-id to the server asking for the ssh password that one time and at the beginning of the script so very little lag would occur between starting and running the script and it would be only once. You could even setup a separate key for each user for just the script in their own ~/.script/key/ directory so that you would discourage users access to the SSH server.
If you want to really restrict what can be done on the remote server by that user, you could use rssh as the shell on the remote account which will limit the user access to transferring files.
A good way we did this in the past to provide passwords to needed scripts when using key based authentication was impossible or needed to use passwords for apps, services, mysql, whatever...we stored passwords in an encrypted file and then decrypted this file at runtime to provide the password to the scripts.
The password decryption script, let's call it, yourcreds.rb, was restricted to root use only of course and the unencrypted passwords wern't stored anywhere. So for example you could run:
root#host:~# yourcreds.rb | grep mysql | awk {'print $3'}
Which without awk would for example output the stored line:
service | user | password | description | etc...
mysql mysqluser password ....
With yourcreds.rb (or whatever) you can output just the password and easily incorporate this method into scripts / cron jobs in larger or more complex environments.
Also if I remember correctly we didn't have to use grep / awk or anything. We just programmed in opts parse stuff like: yourcreds.rb list mysql or yourcreds.rb -l, etc.
We used blowfish and yamls to store the encrypted passwords. I'm sure you can be creative. Just make sure it's bullet proof to anyone but root.
I'm new to shellscripting (and not well traveled in the world of Linux) and are trying to get a shellscript to automaticly log into an sftp server with my given. Now this is how far I've gotten
#!/bin/bash
HOST='somehost.com'
USER='someusername'
PASSWD='somepass'
sftp $USER#$HOST
Now this is where I run into trouble. At this point I will be prompted for a password. So how do I get the script to automaticly reply with the password when prompted for it? I also tried finding a way to pass along the password with the sftp command, but with no luck. Can anyone help me figure this out?
Use this code:
#!/bin/bash
HOST='somehost.com'
USER='someusername'
PASSWD='somepass'
echo $PASSWD | sftp $USER#$HOST
It's not a good idea to include the password in a command line or such a script. Anyone who has access to the list of running processes could see your password, it could end up in your shell history and log files. So this would create a security hole.
There is more info in this thread where key based authentication is recommended over your proposed method.
Do not store passwords in script files, unless you are compulsive obsessive about keeping your permissions absolutely tight.
For all things ssh/sftp/scp, use public key authentication. Learn about the settings you can set on both the client and the server ends to make it more secure (ip restrictions, user restrictions, cipher restrictions, number of retries, number of simultaneous logins, etc) That alone should eliminate a lot of insecurity due to scripting issues.
If you absolutely must store a password in a variable, do not export it, and unset it the moment you get done using it.
on local host (where the script will be executed) generate ssh key pair:
scriptuser#scripthost:/~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/michal/.ssh/id_rsa): {press ENTER!}
(...)
copy generated public key from scripthost to the somehost.com and append it to the list of authenticated hosts:
scriptuser#scripthost:/~$ cat ~/.ssh/id_rsa.pub | ssh someuser#somehost.com 'cat >> .ssh/authorized_keys'
now you should be able to use scp or sftp without password:
scriptuser#scripthost:/~$ scp /any/local/file someuser#somehost.com:/remote/location/
use sshpass command.
you can give password along with command