3

I have a script with a couple of ssh commands that use a jump host. I would like to enter the jump and target server passwords each time and tried to use sshpass sadly "nesting" sshpass does not seems to make the trick.

sshpass -p "JumpPass" sshpass -p "ServerPass" ssh -J user@jump admin@server

Can we "nest" many sshpass or is there a specific option for providing different passwords ?

gervais.b
  • 183
  • 1
  • 2
  • 7
  • This is a case for using `ProxyCommand`s instead of the simplified `ProxyJump`. – muru Jul 08 '20 at 10:24
  • Indeed, but it seems that `sshpass` must be available on the jump host too. My work around (that simplify my script) is to open and work trough a tunnel. – gervais.b Jul 08 '20 at 11:41

2 Answers2

1

sshpass can be used to pass in two passwords. Two different password sources have to be used (-e and -d), with one of the sources used in each of the two sshpass calls.

env SSHPASS="JUMP_PASSWORD" \
  sshpass -d 123 ssh \
  -o ProxyCommand="sshpass -e ssh -W %h:%p JUMP_USER@JUMP_HOST" \
  TARGET_USER@TARGET_HOST \
  123<<<TARGET_PASSWORD

In the above code example, the Jump Host will use the JUMP_PASSWORD as provided to sshpass (-e) and the Target Host will use the TARGET_PASSWORD as provided to sshpass (-d).

One could also provide the password with sshpass (-p) but that is insecure since the password will show up in the process list (ps). The above example utilizes sshpass such that neither password is seen in the system process list output.

The environment variable password source (sshpass -e) must be used with the ProxyCommand for the Jump Host. The environment variable is read by sshpass in the "-o ProxyCommand" call, but if using a file descriptor source (sshpass -d) the password has to be supplied in the ProxyCommand quoted value and thus can be seen in the process list output. (e.g. -o ProxyCommand="sshpass -d 124 ssh -W %h:%p JUMP_USER@JUMP_HOST 124<<<JUMP_PASSWORD") <- so this is unfavorable.

Note: When I use this method, sshpass is NOT installed on the JUMP_HOST.

Update This solution can also be used with rsync

env SSHPASS="JUMP_PASSWORD" \
rsync -v -a \
  -e "sshpass -d 123 ssh \
    -o ProxyCommand=\"sshpass -e ssh -W %h:%p USER@JUMP_HOST\" USER@TARGET_HOST" \
  :/remote/directory/  /local/directory/  \
123<<<TARGET_PASSWORD

See my answer on SuperUser: https://superuser.com/questions/1646074/why-rsync-with-jump-host-and-sshpass-not-working/1689136#1689136

Russell E Glaue
  • 111
  • 4
0

I would commonly use ProxyCommand as mentioned by muru.

Also why don't you use key instead of password for authentication? { when I start using linux, I always use password, but once used key, you just won't go back }

I can put this under my ssh config file, and ssh to the server directly with ssh server:

Host server
    ControlMaster auto
    ProxyCommand ssh -W %h:%p -i your_key_for_Jump user@jump
    IdentityFile your_key_for_server_if_not_idrsa
    User ssh_user_for_server
xiaoyao
  • 33
  • 3
  • I need it into a script, so cannot use the ssh config file. However it seems that `-o` will do it, thanks. – gervais.b Jul 09 '20 at 07:31
  • Glad that you figured it out. Just to clarify that ssh config is a general setting, not limit to a user session, so script has no issue :) – xiaoyao Jul 09 '20 at 11:25