Cache the password if SSH-keys are forbidden

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
12
down vote

favorite
1












I have a server which I have to access frequently via ssh, because I compute on it.
Now, the computing center explicitly forbids SSH-keys because they are "insecure". They feel that typing my password, on a keyboard, everytime, possible in front of other humans, is a much safer way to login.



Now; I cannot change their minds (I tried).



Is there a way to at least temporarily store SSH passwords, the way GIT can store passwords in a cache for some defined time?










share|improve this question



















  • 9




    the computing center explicitly forbids SSH-keys because they are "insecure" - my opinion on the matter? Find a new server host, because yours is obviously inept.
    – Matt Clark
    3 hours ago







  • 3




    @Matt: "computing center" sounds more like an academic grid system, which doesn't have nearly as much competition I guess
    – grawity
    2 hours ago






  • 3




    They are wrong. They have probably been forgetting to disable ssh keys when they expire accounts, so they decided that ssh keys are the problem.
    – Joshua
    2 hours ago














up vote
12
down vote

favorite
1












I have a server which I have to access frequently via ssh, because I compute on it.
Now, the computing center explicitly forbids SSH-keys because they are "insecure". They feel that typing my password, on a keyboard, everytime, possible in front of other humans, is a much safer way to login.



Now; I cannot change their minds (I tried).



Is there a way to at least temporarily store SSH passwords, the way GIT can store passwords in a cache for some defined time?










share|improve this question



















  • 9




    the computing center explicitly forbids SSH-keys because they are "insecure" - my opinion on the matter? Find a new server host, because yours is obviously inept.
    – Matt Clark
    3 hours ago







  • 3




    @Matt: "computing center" sounds more like an academic grid system, which doesn't have nearly as much competition I guess
    – grawity
    2 hours ago






  • 3




    They are wrong. They have probably been forgetting to disable ssh keys when they expire accounts, so they decided that ssh keys are the problem.
    – Joshua
    2 hours ago












up vote
12
down vote

favorite
1









up vote
12
down vote

favorite
1






1





I have a server which I have to access frequently via ssh, because I compute on it.
Now, the computing center explicitly forbids SSH-keys because they are "insecure". They feel that typing my password, on a keyboard, everytime, possible in front of other humans, is a much safer way to login.



Now; I cannot change their minds (I tried).



Is there a way to at least temporarily store SSH passwords, the way GIT can store passwords in a cache for some defined time?










share|improve this question















I have a server which I have to access frequently via ssh, because I compute on it.
Now, the computing center explicitly forbids SSH-keys because they are "insecure". They feel that typing my password, on a keyboard, everytime, possible in front of other humans, is a much safer way to login.



Now; I cannot change their minds (I tried).



Is there a way to at least temporarily store SSH passwords, the way GIT can store passwords in a cache for some defined time?







ssh git






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 21 mins ago









Braiam

4,00631850




4,00631850










asked 6 hours ago









user2667180

736




736







  • 9




    the computing center explicitly forbids SSH-keys because they are "insecure" - my opinion on the matter? Find a new server host, because yours is obviously inept.
    – Matt Clark
    3 hours ago







  • 3




    @Matt: "computing center" sounds more like an academic grid system, which doesn't have nearly as much competition I guess
    – grawity
    2 hours ago






  • 3




    They are wrong. They have probably been forgetting to disable ssh keys when they expire accounts, so they decided that ssh keys are the problem.
    – Joshua
    2 hours ago












  • 9




    the computing center explicitly forbids SSH-keys because they are "insecure" - my opinion on the matter? Find a new server host, because yours is obviously inept.
    – Matt Clark
    3 hours ago







  • 3




    @Matt: "computing center" sounds more like an academic grid system, which doesn't have nearly as much competition I guess
    – grawity
    2 hours ago






  • 3




    They are wrong. They have probably been forgetting to disable ssh keys when they expire accounts, so they decided that ssh keys are the problem.
    – Joshua
    2 hours ago







9




9




the computing center explicitly forbids SSH-keys because they are "insecure" - my opinion on the matter? Find a new server host, because yours is obviously inept.
– Matt Clark
3 hours ago





the computing center explicitly forbids SSH-keys because they are "insecure" - my opinion on the matter? Find a new server host, because yours is obviously inept.
– Matt Clark
3 hours ago





3




3




@Matt: "computing center" sounds more like an academic grid system, which doesn't have nearly as much competition I guess
– grawity
2 hours ago




@Matt: "computing center" sounds more like an academic grid system, which doesn't have nearly as much competition I guess
– grawity
2 hours ago




3




3




They are wrong. They have probably been forgetting to disable ssh keys when they expire accounts, so they decided that ssh keys are the problem.
– Joshua
2 hours ago




They are wrong. They have probably been forgetting to disable ssh keys when they expire accounts, so they decided that ssh keys are the problem.
– Joshua
2 hours ago










2 Answers
2






active

oldest

votes

















up vote
21
down vote



accepted










Connection reuse



SSHv2 allows the same authenticated connection to establish multiple 'channels' – interactive shell, batch command, SFTP, along with the secondary ones such as agent-forwarding or TCP-forwarding. Your server probably supports connection multiplexing by default. (If your admins complain, it's not caching your password anywhere – it's caching the whole connection.)



With OpenSSH you have ControlMaster and ControlPath options (-M and -S) to make use of this:




  1. Start a 'master' SSH connection using -M. (Since you don't have a ControlPath in your config yet, you need to specify it in command line using -S. It needs to live long, so I add the -fN options to drop to background; they're technically optional otherwise.)



    $ ssh foo@bar.example.com -fNMS ~/.ssh/bar.socket
    foo@bar.example.com's password:


    You're back to the local shell.




  2. Start a new connection through the master:



    $ ssh foo@bar.example.com -S ~/.ssh/bar.socket


    You're in.




  3. To make this useful for Git/rsync/SFTP, you need to set up ControlPath in your configuration, because you won't be able to specify -S all the time:



    Host *
    ControlPath ~/.ssh/S.%r@%h:%p


You can automate this – recent OpenSSH versions also have ControlPersist which automatically establishes a master connection in background if there isn't one yet. This allows you to skip step 1 and just use ssh as you normally would.




  1. Configuration in ~/.ssh/config:



    Host *
    ControlPath ~/.ssh/S.%r@%h:%p
    ControlMaster auto
    ControlPersist 15m



  2. First connection asks for password:



    $ ssh foo@bar.example.com
    foo@bar.example.com's password:
    [foo@bar:~]$ exit



  3. The second doesn't:



    $ ssh foo@bar.example.com
    [foo@bar:~]$ yay


To control the multiplex master (stop it or configure TCP forwardings), use the -O option.



A similar method is supported by recent PuTTY versions.






share|improve this answer






















  • thank you very much for this nice answer. google was not useful on this problem, as it always turned to ssh-keys and I did not know the right keywords. helped me a lot!
    – user2667180
    6 hours ago


















up vote
4
down vote













Use sshpass



sshpass (github, man page) is a tool that automatically feeds the password to ssh. You can invoke it like so:



sshpass -p 'correct horse battery staple' ssh foo@host


However, this will show the password to any user on the client system in a process listing. A better way is to store the password in a file:



echo 'correct horse battery staple' > ~/.ssh/compute_password
chmod go-rw ~/.ssh/compute_password
sshpass -f ~/.ssh/compute_password ssh foo@host


This will read the password from ~/.ssh/compute_password, and not show it in the process listing. You could put the command in a small shell script or a shell alias to avoid typing that full command. Sadly, I haven't found a way to do this from ~/.ssh/config.



This approach is of course less secure than properly set up public key authentication, but you probably know that already.



It is also less secure than @grawity's answer about connection re-use, but it has the advantage of not having to enter the password interactively at all. You could consider @grawity's answer an alternative to pubkey auth with a passphrase and single sign-on (i.e. ssh-agent). Then my answer would be an alternative to pubkey auth without a passphrase on the private key file.






share|improve this answer




















    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "3"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1362894%2fcache-the-password-if-ssh-keys-are-forbidden%23new-answer', 'question_page');

    );

    Post as a guest






























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    21
    down vote



    accepted










    Connection reuse



    SSHv2 allows the same authenticated connection to establish multiple 'channels' – interactive shell, batch command, SFTP, along with the secondary ones such as agent-forwarding or TCP-forwarding. Your server probably supports connection multiplexing by default. (If your admins complain, it's not caching your password anywhere – it's caching the whole connection.)



    With OpenSSH you have ControlMaster and ControlPath options (-M and -S) to make use of this:




    1. Start a 'master' SSH connection using -M. (Since you don't have a ControlPath in your config yet, you need to specify it in command line using -S. It needs to live long, so I add the -fN options to drop to background; they're technically optional otherwise.)



      $ ssh foo@bar.example.com -fNMS ~/.ssh/bar.socket
      foo@bar.example.com's password:


      You're back to the local shell.




    2. Start a new connection through the master:



      $ ssh foo@bar.example.com -S ~/.ssh/bar.socket


      You're in.




    3. To make this useful for Git/rsync/SFTP, you need to set up ControlPath in your configuration, because you won't be able to specify -S all the time:



      Host *
      ControlPath ~/.ssh/S.%r@%h:%p


    You can automate this – recent OpenSSH versions also have ControlPersist which automatically establishes a master connection in background if there isn't one yet. This allows you to skip step 1 and just use ssh as you normally would.




    1. Configuration in ~/.ssh/config:



      Host *
      ControlPath ~/.ssh/S.%r@%h:%p
      ControlMaster auto
      ControlPersist 15m



    2. First connection asks for password:



      $ ssh foo@bar.example.com
      foo@bar.example.com's password:
      [foo@bar:~]$ exit



    3. The second doesn't:



      $ ssh foo@bar.example.com
      [foo@bar:~]$ yay


    To control the multiplex master (stop it or configure TCP forwardings), use the -O option.



    A similar method is supported by recent PuTTY versions.






    share|improve this answer






















    • thank you very much for this nice answer. google was not useful on this problem, as it always turned to ssh-keys and I did not know the right keywords. helped me a lot!
      – user2667180
      6 hours ago















    up vote
    21
    down vote



    accepted










    Connection reuse



    SSHv2 allows the same authenticated connection to establish multiple 'channels' – interactive shell, batch command, SFTP, along with the secondary ones such as agent-forwarding or TCP-forwarding. Your server probably supports connection multiplexing by default. (If your admins complain, it's not caching your password anywhere – it's caching the whole connection.)



    With OpenSSH you have ControlMaster and ControlPath options (-M and -S) to make use of this:




    1. Start a 'master' SSH connection using -M. (Since you don't have a ControlPath in your config yet, you need to specify it in command line using -S. It needs to live long, so I add the -fN options to drop to background; they're technically optional otherwise.)



      $ ssh foo@bar.example.com -fNMS ~/.ssh/bar.socket
      foo@bar.example.com's password:


      You're back to the local shell.




    2. Start a new connection through the master:



      $ ssh foo@bar.example.com -S ~/.ssh/bar.socket


      You're in.




    3. To make this useful for Git/rsync/SFTP, you need to set up ControlPath in your configuration, because you won't be able to specify -S all the time:



      Host *
      ControlPath ~/.ssh/S.%r@%h:%p


    You can automate this – recent OpenSSH versions also have ControlPersist which automatically establishes a master connection in background if there isn't one yet. This allows you to skip step 1 and just use ssh as you normally would.




    1. Configuration in ~/.ssh/config:



      Host *
      ControlPath ~/.ssh/S.%r@%h:%p
      ControlMaster auto
      ControlPersist 15m



    2. First connection asks for password:



      $ ssh foo@bar.example.com
      foo@bar.example.com's password:
      [foo@bar:~]$ exit



    3. The second doesn't:



      $ ssh foo@bar.example.com
      [foo@bar:~]$ yay


    To control the multiplex master (stop it or configure TCP forwardings), use the -O option.



    A similar method is supported by recent PuTTY versions.






    share|improve this answer






















    • thank you very much for this nice answer. google was not useful on this problem, as it always turned to ssh-keys and I did not know the right keywords. helped me a lot!
      – user2667180
      6 hours ago













    up vote
    21
    down vote



    accepted







    up vote
    21
    down vote



    accepted






    Connection reuse



    SSHv2 allows the same authenticated connection to establish multiple 'channels' – interactive shell, batch command, SFTP, along with the secondary ones such as agent-forwarding or TCP-forwarding. Your server probably supports connection multiplexing by default. (If your admins complain, it's not caching your password anywhere – it's caching the whole connection.)



    With OpenSSH you have ControlMaster and ControlPath options (-M and -S) to make use of this:




    1. Start a 'master' SSH connection using -M. (Since you don't have a ControlPath in your config yet, you need to specify it in command line using -S. It needs to live long, so I add the -fN options to drop to background; they're technically optional otherwise.)



      $ ssh foo@bar.example.com -fNMS ~/.ssh/bar.socket
      foo@bar.example.com's password:


      You're back to the local shell.




    2. Start a new connection through the master:



      $ ssh foo@bar.example.com -S ~/.ssh/bar.socket


      You're in.




    3. To make this useful for Git/rsync/SFTP, you need to set up ControlPath in your configuration, because you won't be able to specify -S all the time:



      Host *
      ControlPath ~/.ssh/S.%r@%h:%p


    You can automate this – recent OpenSSH versions also have ControlPersist which automatically establishes a master connection in background if there isn't one yet. This allows you to skip step 1 and just use ssh as you normally would.




    1. Configuration in ~/.ssh/config:



      Host *
      ControlPath ~/.ssh/S.%r@%h:%p
      ControlMaster auto
      ControlPersist 15m



    2. First connection asks for password:



      $ ssh foo@bar.example.com
      foo@bar.example.com's password:
      [foo@bar:~]$ exit



    3. The second doesn't:



      $ ssh foo@bar.example.com
      [foo@bar:~]$ yay


    To control the multiplex master (stop it or configure TCP forwardings), use the -O option.



    A similar method is supported by recent PuTTY versions.






    share|improve this answer














    Connection reuse



    SSHv2 allows the same authenticated connection to establish multiple 'channels' – interactive shell, batch command, SFTP, along with the secondary ones such as agent-forwarding or TCP-forwarding. Your server probably supports connection multiplexing by default. (If your admins complain, it's not caching your password anywhere – it's caching the whole connection.)



    With OpenSSH you have ControlMaster and ControlPath options (-M and -S) to make use of this:




    1. Start a 'master' SSH connection using -M. (Since you don't have a ControlPath in your config yet, you need to specify it in command line using -S. It needs to live long, so I add the -fN options to drop to background; they're technically optional otherwise.)



      $ ssh foo@bar.example.com -fNMS ~/.ssh/bar.socket
      foo@bar.example.com's password:


      You're back to the local shell.




    2. Start a new connection through the master:



      $ ssh foo@bar.example.com -S ~/.ssh/bar.socket


      You're in.




    3. To make this useful for Git/rsync/SFTP, you need to set up ControlPath in your configuration, because you won't be able to specify -S all the time:



      Host *
      ControlPath ~/.ssh/S.%r@%h:%p


    You can automate this – recent OpenSSH versions also have ControlPersist which automatically establishes a master connection in background if there isn't one yet. This allows you to skip step 1 and just use ssh as you normally would.




    1. Configuration in ~/.ssh/config:



      Host *
      ControlPath ~/.ssh/S.%r@%h:%p
      ControlMaster auto
      ControlPersist 15m



    2. First connection asks for password:



      $ ssh foo@bar.example.com
      foo@bar.example.com's password:
      [foo@bar:~]$ exit



    3. The second doesn't:



      $ ssh foo@bar.example.com
      [foo@bar:~]$ yay


    To control the multiplex master (stop it or configure TCP forwardings), use the -O option.



    A similar method is supported by recent PuTTY versions.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited 6 hours ago

























    answered 6 hours ago









    grawity

    219k32447513




    219k32447513











    • thank you very much for this nice answer. google was not useful on this problem, as it always turned to ssh-keys and I did not know the right keywords. helped me a lot!
      – user2667180
      6 hours ago

















    • thank you very much for this nice answer. google was not useful on this problem, as it always turned to ssh-keys and I did not know the right keywords. helped me a lot!
      – user2667180
      6 hours ago
















    thank you very much for this nice answer. google was not useful on this problem, as it always turned to ssh-keys and I did not know the right keywords. helped me a lot!
    – user2667180
    6 hours ago





    thank you very much for this nice answer. google was not useful on this problem, as it always turned to ssh-keys and I did not know the right keywords. helped me a lot!
    – user2667180
    6 hours ago













    up vote
    4
    down vote













    Use sshpass



    sshpass (github, man page) is a tool that automatically feeds the password to ssh. You can invoke it like so:



    sshpass -p 'correct horse battery staple' ssh foo@host


    However, this will show the password to any user on the client system in a process listing. A better way is to store the password in a file:



    echo 'correct horse battery staple' > ~/.ssh/compute_password
    chmod go-rw ~/.ssh/compute_password
    sshpass -f ~/.ssh/compute_password ssh foo@host


    This will read the password from ~/.ssh/compute_password, and not show it in the process listing. You could put the command in a small shell script or a shell alias to avoid typing that full command. Sadly, I haven't found a way to do this from ~/.ssh/config.



    This approach is of course less secure than properly set up public key authentication, but you probably know that already.



    It is also less secure than @grawity's answer about connection re-use, but it has the advantage of not having to enter the password interactively at all. You could consider @grawity's answer an alternative to pubkey auth with a passphrase and single sign-on (i.e. ssh-agent). Then my answer would be an alternative to pubkey auth without a passphrase on the private key file.






    share|improve this answer
























      up vote
      4
      down vote













      Use sshpass



      sshpass (github, man page) is a tool that automatically feeds the password to ssh. You can invoke it like so:



      sshpass -p 'correct horse battery staple' ssh foo@host


      However, this will show the password to any user on the client system in a process listing. A better way is to store the password in a file:



      echo 'correct horse battery staple' > ~/.ssh/compute_password
      chmod go-rw ~/.ssh/compute_password
      sshpass -f ~/.ssh/compute_password ssh foo@host


      This will read the password from ~/.ssh/compute_password, and not show it in the process listing. You could put the command in a small shell script or a shell alias to avoid typing that full command. Sadly, I haven't found a way to do this from ~/.ssh/config.



      This approach is of course less secure than properly set up public key authentication, but you probably know that already.



      It is also less secure than @grawity's answer about connection re-use, but it has the advantage of not having to enter the password interactively at all. You could consider @grawity's answer an alternative to pubkey auth with a passphrase and single sign-on (i.e. ssh-agent). Then my answer would be an alternative to pubkey auth without a passphrase on the private key file.






      share|improve this answer






















        up vote
        4
        down vote










        up vote
        4
        down vote









        Use sshpass



        sshpass (github, man page) is a tool that automatically feeds the password to ssh. You can invoke it like so:



        sshpass -p 'correct horse battery staple' ssh foo@host


        However, this will show the password to any user on the client system in a process listing. A better way is to store the password in a file:



        echo 'correct horse battery staple' > ~/.ssh/compute_password
        chmod go-rw ~/.ssh/compute_password
        sshpass -f ~/.ssh/compute_password ssh foo@host


        This will read the password from ~/.ssh/compute_password, and not show it in the process listing. You could put the command in a small shell script or a shell alias to avoid typing that full command. Sadly, I haven't found a way to do this from ~/.ssh/config.



        This approach is of course less secure than properly set up public key authentication, but you probably know that already.



        It is also less secure than @grawity's answer about connection re-use, but it has the advantage of not having to enter the password interactively at all. You could consider @grawity's answer an alternative to pubkey auth with a passphrase and single sign-on (i.e. ssh-agent). Then my answer would be an alternative to pubkey auth without a passphrase on the private key file.






        share|improve this answer












        Use sshpass



        sshpass (github, man page) is a tool that automatically feeds the password to ssh. You can invoke it like so:



        sshpass -p 'correct horse battery staple' ssh foo@host


        However, this will show the password to any user on the client system in a process listing. A better way is to store the password in a file:



        echo 'correct horse battery staple' > ~/.ssh/compute_password
        chmod go-rw ~/.ssh/compute_password
        sshpass -f ~/.ssh/compute_password ssh foo@host


        This will read the password from ~/.ssh/compute_password, and not show it in the process listing. You could put the command in a small shell script or a shell alias to avoid typing that full command. Sadly, I haven't found a way to do this from ~/.ssh/config.



        This approach is of course less secure than properly set up public key authentication, but you probably know that already.



        It is also less secure than @grawity's answer about connection re-use, but it has the advantage of not having to enter the password interactively at all. You could consider @grawity's answer an alternative to pubkey auth with a passphrase and single sign-on (i.e. ssh-agent). Then my answer would be an alternative to pubkey auth without a passphrase on the private key file.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 2 hours ago









        marcelm

        1713




        1713



























             

            draft saved


            draft discarded















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1362894%2fcache-the-password-if-ssh-keys-are-forbidden%23new-answer', 'question_page');

            );

            Post as a guest













































































            Comments

            Popular posts from this blog

            What does second last employer means? [closed]

            Installing NextGIS Connect into QGIS 3?

            One-line joke