3

I configured key pairs for SSH connection. It works but of course asks for the passphrase.

ssh [email protected]

So now I try to login with sshpass which I have installed. I tried with -p property but also and with -f property and nothing works - it just hangs.

verbose gives these info on the client side

sshpass -v -p "pass" ssh [email protected]
SSHPASS searching for password prompt using match "assword"
SSHPASS read:
SSHPASS read: Enter passphrase for key '/home/user1/.ssh/id_rsa':

On the server side I can see these information in the log:

Accepted key RSA SHA256:V/V29pA2Ps5k/lBgz2R5XFP6vaaaOUN5hj0hca+j8TI found at __PROGRAMDATA__/ssh/administrators_authoriz
ed_keys:1
debug3: mm_answer_keyallowed: publickey authentication test: RSA key is allowed
debug3: mm_request_send: entering, type 23
debug3: send packet: type 60 [preauth]
debug2: userauth_pubkey: authenticated 0 pkalg rsa-sha2-256 [preauth]
debug3: user_specific_delay: user specific delay 0.000ms [preauth]
debug3: ensure_minimum_time_since: elapsed 19.018ms, delaying 1.849ms (requested 5.217ms) [preauth]
Postponed publickey for user1 from 10.7.141.243 port 44750 ssh2 [preauth]

Thanks a lot for your kind assistance!

AndreyS
  • 218
  • 1
  • 5
  • 12
  • 1
    Consider using `ssh-agent` and loading your key into memory if this is supposed to work interactively – Panki Nov 26 '21 at 12:25
  • @AndreyDonald, it literally says that in the linked question: "the prompt is different". You can see that in the output you included in the question here: "searching for password prompt using match "assword"" and "read: Enter passphrase for key '/home/user1/.ssh/id_rsa':". – ilkkachu Nov 26 '21 at 12:26
  • @ilkkachu thank you . Is this "assword" reffering to the user `password` or to something else? I don't know what they are reffering to? So it was reading my passphrase (same as user password) in that `read` segment. So how it didn't pass through? – AndreyS Nov 26 '21 at 12:35
  • 4
    @AndreyDonald, `sshpass` sticks itself between the `ssh` client program, and the terminal where the user is connected. It reads everything the SSH client prints, and when it sees the string it's expecting, it inserts the password. And the string it's expecting is `assword`, generally enough to work with slight variation in the prompt (and without the P so it doesn't need to care if it's in uppercase or lowercase). But with key-based authentication, the prompt is different, and by default it doesn't recognize that prompt. – ilkkachu Nov 26 '21 at 12:42
  • @ilkkachu thanks! really appreciated explanation from such an expert – AndreyS Nov 26 '21 at 12:54
  • Could you explain why you're setting a passphrase and then using sshpass, instead of not setting any passphrase at all and using plain ssh? Do you think it's more "secure" that way? –  Nov 27 '21 at 03:53
  • @ilkkachu sorry if I may ask you one more thing? Did you face similar issue for OpenSSH server like me on this - https://stackoverflow.com/questions/70138147/openssh-bug-cant-ssh-when-running-sshd-as-a-service-can-when-sshd-is or you can suggest me where I could find a help for this since some people voted against my issue? Thanks a lot – AndreyS Nov 29 '21 at 09:15

1 Answers1

7

ssh prompts for and reads password (or passphrase) using the terminal (/dev/tty), not its stdin. This way you can pipe/redirect data to/from ssh and still be able to provide a password when asked. But to provide a password not via the terminal, one needs to present a "fake" terminal to ssh. This is what sshpass does.

When you sshpass … ssh …, sshpass runs ssh in a dedicated emulated terminal. This means ssh does not read directly from your terminal, sshpass does. And ssh does not print directly to your terminal, sshpass does. Eventually sshpass will act as a relay, so it will be as if ssh used your terminal. But before this happens, sshpass intercepts what ssh prints; it also injects the string you specify after -p, then ssh "sees" the string as coming from the terminal ssh is using (which is not your terminal). This way ssh can be fooled you typed the password, when it's sshpass who "typed".

By default sshpass waits for assword: (or assword1?) to appear as a part of the prompt for password. E.g. if you didn't use a key and you didn't use sshpass, ssh would print:

[email protected]'s password:

and it would wait for you to type your password. If you used sshpass to provide your password, then sshpass would intercept this message and "type" the password for you. By waiting for the right prompt sshpass knows when ssh expects a password, only then it passes your password.

In your case the prompt was different. ssh did not ask for the password, it asked for the passphrase using a different prompt. The prompt from ssh was exactly Enter passphrase for key '/home/user1/.ssh/id_rsa':, there was nothing matching assword:, so sshpass kept waiting for the default prompt that never came.

Use -P to override the default.

-P
Set the password prompt. Sshpass searched for this prompt in the program's output to the TTY as an indication when to send the password. By default sshpass looks for the string assword: (which matches both Password: and password:). If your client's prompt does not fall under either of these, you can override the default with this option.

(source: man 1 sshpass)

In your case it may be:

sshpass -P assphrase -p "pass" ssh [email protected]

Now if sshpass intercepts Enter passphrase … coming from the ssh, it will respond with whatever you specified after -p. Next it will sit as a relay between your terminal and the one ssh is using; it will become transparent.

In general sshpass can be used to provide a password (a string in general) to any tool that normally uses the terminal (as opposed to stdin+stdout+stderr) to prompt for and read the password. -P allows you to adjust the command to the prompt the tool uses.

1 The manual says assword:, but the output from your sshpass -v says using match "assword". One way or another you need -P to properly pass a passphrase.

Kamil Maciorowski
  • 19,242
  • 1
  • 50
  • 94
  • Kamil I am not an expert. are they referring to "password" with this word `assword`. Ok based on your explanation Password Prompt has been waited which never appear. Basically if I understood you correctly it waits for a "password prompt" as a new windows in Linux TTY, correct? So I basically need to state that my password is from the "passphrase" with `-P assphrase` argument. I hope I got it right, please confirm. I am only confused how is possible that this is not something which other people are also facing through the linux ssh script execution? Since most of the examples are without"-P" – AndreyS Nov 26 '21 at 12:47
  • @AndreyDonald Is the answer better now? – Kamil Maciorowski Nov 26 '21 at 13:35
  • sorry if I may ask you one more thing? Did you face similar issue for OpenSSH server like me on this - https://stackoverflow.com/questions/70138147/openssh-bug-cant-ssh-when-running-sshd-as-a-service-can-when-sshd-is or you can suggest me where I could find a help for this since some people voted against my issue? Thanks a lot – AndreyS Nov 29 '21 at 09:14
  • 1
    @AndreyDonald The linked question seems specific to Windows. I don't use Windows, unable to help. [Super User](https://superuser.com) is the place to ask. – Kamil Maciorowski Nov 29 '21 at 09:59
  • Thank you!!!!!! – AndreyS Nov 29 '21 at 10:11