27

I'm creating a small backup script using sshfs:

sshfs backup_user@target_ip:/home /mnt/backup

Is there a way to include the password in this command?

Or is there another file transfer solution where the login password can be included other than FTP/SFTP?

Timothy Martin
  • 8,447
  • 1
  • 34
  • 40
Zaza
  • 544
  • 2
  • 6
  • 15
  • 4
    You can use ssh-gkeygen to generate an RSA key pair then configure ssh (client and server) to use RSA authentication. Have you done this before for "regular" ssh authentication? – airhuff Jan 15 '17 at 00:22
  • yes but then I have to change the way servers are connecting via ssh .. as far I know authentication can be key based or login/password not both at the same time.. – Zaza Jan 15 '17 at 00:27
  • 2
    They can be both. They usually are. This way, a newly created user can push their key on the server by entering their password. Subsequently, they use their key. – xhienne Jan 15 '17 at 00:28

7 Answers7

34

Sending the 'sshfs password' with <<< to -o password_stdin works in Bash:

sshfs -o password_stdin backup_user@target_ip:/home /mnt/backup <<< 'sshfs password'

Note the password is enclosed in single quotes. Thanks Kyle!

Matthias Braun
  • 7,797
  • 7
  • 45
  • 54
Maz
  • 441
  • 4
  • 5
18

-o password_stdin do not seem to be working on all systems, for instance freeBSD. etc.

You can also use expect Interpreter, it should work with sshfs and should do the trick.

Another solution would be sshpass, for instance, let say your are backing up directory /var/www

Backing up:

name=$(date '+%y-%m-%d')
mkdir /backup/$name && tar -czvf /backup/$name/"$name.tar.gz" /var/www

uploading backup file to backup server

sshpass -p "your_password" scp -r backup_user@target_ip:/home/ /backup/$name

So it will upload directory with today's backup

But still, as it was said higher, best(safe and simple) way would be to use ssh key pair
The only inconvenience would be that you have to go through the key generation process once on every server you need to pair, but it is better than keeping a password in plain text format on all servers you want to back up :),

Generating a Key Pair the Proper way

  • On Local server

    ssh-keygen -t rsa

  • On remote Server

    ssh root@remote_servers_ip "mkdir -p .ssh"

  • Uploading Generated Public Keys to the Remote Server

    cat ~/.ssh/id_rsa.pub | ssh root@remote_servers_ip "cat >> ~/.ssh/authorized_keys"

  • Set Permissions on Remote server

    ssh root@remote_servers_ip "chmod 700 ~/.ssh; chmod 640 ~/.ssh/authorized_keys"

  • Login

    ssh root@remote_servers_ip

  • Enabling SSH Protocol v2

    uncomment "Protocol 2" in /etc/ssh/sshd_config

  • enabling public key authorization in sshd

    uncomment "PubkeyAuthentication yes" in /etc/ssh/sshd_config

  • If StrictModes is set to yes in /etc/ssh/sshd_config then 

    restorecon -Rv ~/.ssh
14

According to the manual, there is an option -o password_stdin which might allow to read the password from standard input, which can probably be a redirection. I have never used it, so I'm speculating.

That said, I strongly advise against such a solution which is inherently insecure.

ssh works very well with a system of private/public keys. It is simple and secure. No need to enter a password or to write it in clear in a shell script. Just push your public key on the server and you can connect immediately.

xhienne
  • 17,075
  • 2
  • 52
  • 68
  • Can anyone provide a working example of this solution? I'm trying the following, but it is not working: `printf "my_password\n" | sshfs username@hostname:/remote_fs $HOME/local_dir` – MikeyE Jul 10 '18 at 12:42
  • FYI, I should have mentioned I'm using a password protected SSH key. I was able to get it working using the answer provided by @nathan-s-watson-haigh found here: https://unix.stackexchange.com/questions/128974/parallel-ssh-with-passphrase-protected-ssh-key – MikeyE Jul 10 '18 at 13:07
  • I don't have any matching environment at hand that would allow me to test a ssfs-mount with a password protected SSH key. Anyway, what strikes me at first in your command is that I don't see any `-o password_stdin` option. – xhienne Jul 10 '18 at 14:09
  • Thanks for the input. I tried the following command just now, and it does not ask for a password, but it also does not return. Meaning, it just sits there waiting for the command to complete, no command prompt displayed. I tried the command: `printf "my_password\n" | sshfs -o password_stdin user@hostname:/ $HOME/local_dir` P.S. I'm on Debian Buster P.P.S. This works, but prompts for a password: `sshfs -o password_stdin user@hostname:/ $HOME/local_dir` – MikeyE Jul 13 '18 at 16:32
  • 1
    I disagree that using `-o password_stdin` is inherently insecure. You're making too many assumptions about how it is used. Sure, it can be abused by hardcoding passwords into shell scripts. Obviously that is insecure. But that's far from the only use case. There are plenty of ways to use this option that are no less secure than using the normal password prompt. Also, not every SFTP user has the option to use SSH keys. Furthermore, not every server needs to be hardened. Many of the test vms at my company use the same password because we want anyone in our local network to be able to login. – Drew Nutter May 20 '20 at 20:02
  • @Drew I'm not making any assumptions, I'm using the context stated in the question: "Is there a way to include the password in this command?" Like you say "obviously that is insecure". There are plenty of ways to use this option? Not so, since the manual states "only for pam_mount!" (exclamation mark is not mine). Beside, the whole point of my answer is to promote the use of ssh keys. All in all, there is no good reason not to use them and, if users have no other choice than passwords, there is no good reason to keep them from using keys (I don't place laziness in the set of good reasons). – xhienne May 21 '20 at 15:21
11
echo 'password' | sshfs user@host:/dir /mnt -o password_stdin

The "-o password_stdin" option is what enables you to pipe your password.

That said, keys are a better option, unless your service provider doesn't let you use them for sftp. (This is one of WP Engine's notable failures.)

iateadonut
  • 211
  • 2
  • 4
6

one thing to keep in mind is that if you are using the -o password_stdin option, it might appear to not be working because sshfs will ask whether to connect to the host or not (if it is the first time you connect to it and it is not added to the known hosts file yet). If you are running it in a batch you will never see sshfs asking. Workarounds to avoid this are:

  1. add the -o StrictHostKeyChecking=no option to sshfs or
  2. run sshfs manually once to add the host to the known hosts file
frenchie71
  • 61
  • 1
  • 2
3

Mount script:

#!/bin/bash
server=<host>
user=<username>
pass=<password>
root=<hostpath>
mount=$(pwd)/sshfs

type sshfs >/dev/null 2>&1 || { echo >&2 "sshfs required"; exit 1; }
type sshpass >/dev/null 2>&1 || { echo >&2 "sshpass required"; exit 1; }

mkdir -p $mount

SSHPASS="$pass" sshfs $server:$root $mount -o ssh_command="sshpass -e ssh -l $user"

Unmount:

#!/bin/bash

mount=$(pwd)/sshfs

fusermount -u $mount
Michael
  • 51
  • 3
1

Automatic script to connect sftp with sshfs

#!/bin/bash
expect <<END
spawn sshfs sftpuser@ip:/folder /mnt/folder -p 22 -o password_stdin
send "password\r"
expect eof
END
champa
  • 11
  • 2