Cache the password if SSH-keys are forbidden
Clash Royale CLAN TAG#URR8PPP
up vote
12
down vote
favorite
I have a server which I have to access frequently via ssh, because I compute on it.
Now, the computing center explicitly forbids SSH-keys because they are "insecure". They feel that typing my password, on a keyboard, everytime, possible in front of other humans, is a much safer way to login.
Now; I cannot change their minds (I tried).
Is there a way to at least temporarily store SSH passwords, the way GIT can store passwords in a cache for some defined time?
ssh git
add a comment |Â
up vote
12
down vote
favorite
I have a server which I have to access frequently via ssh, because I compute on it.
Now, the computing center explicitly forbids SSH-keys because they are "insecure". They feel that typing my password, on a keyboard, everytime, possible in front of other humans, is a much safer way to login.
Now; I cannot change their minds (I tried).
Is there a way to at least temporarily store SSH passwords, the way GIT can store passwords in a cache for some defined time?
ssh git
9
the computing centerÃÂ explicitly forbidsÃÂ SSH-keys because they are "insecure"
- my opinion on the matter? Find a new server host, because yours is obviously inept.
â Matt Clark
3 hours ago
3
@Matt: "computing center" sounds more like an academic grid system, which doesn't have nearly as much competition I guess
â grawity
2 hours ago
3
They are wrong. They have probably been forgetting to disable ssh keys when they expire accounts, so they decided that ssh keys are the problem.
â Joshua
2 hours ago
add a comment |Â
up vote
12
down vote
favorite
up vote
12
down vote
favorite
I have a server which I have to access frequently via ssh, because I compute on it.
Now, the computing center explicitly forbids SSH-keys because they are "insecure". They feel that typing my password, on a keyboard, everytime, possible in front of other humans, is a much safer way to login.
Now; I cannot change their minds (I tried).
Is there a way to at least temporarily store SSH passwords, the way GIT can store passwords in a cache for some defined time?
ssh git
I have a server which I have to access frequently via ssh, because I compute on it.
Now, the computing center explicitly forbids SSH-keys because they are "insecure". They feel that typing my password, on a keyboard, everytime, possible in front of other humans, is a much safer way to login.
Now; I cannot change their minds (I tried).
Is there a way to at least temporarily store SSH passwords, the way GIT can store passwords in a cache for some defined time?
ssh git
ssh git
edited 21 mins ago
Braiam
4,00631850
4,00631850
asked 6 hours ago
user2667180
736
736
9
the computing centerÃÂ explicitly forbidsÃÂ SSH-keys because they are "insecure"
- my opinion on the matter? Find a new server host, because yours is obviously inept.
â Matt Clark
3 hours ago
3
@Matt: "computing center" sounds more like an academic grid system, which doesn't have nearly as much competition I guess
â grawity
2 hours ago
3
They are wrong. They have probably been forgetting to disable ssh keys when they expire accounts, so they decided that ssh keys are the problem.
â Joshua
2 hours ago
add a comment |Â
9
the computing centerÃÂ explicitly forbidsÃÂ SSH-keys because they are "insecure"
- my opinion on the matter? Find a new server host, because yours is obviously inept.
â Matt Clark
3 hours ago
3
@Matt: "computing center" sounds more like an academic grid system, which doesn't have nearly as much competition I guess
â grawity
2 hours ago
3
They are wrong. They have probably been forgetting to disable ssh keys when they expire accounts, so they decided that ssh keys are the problem.
â Joshua
2 hours ago
9
9
the computing centerÃÂ explicitly forbidsÃÂ SSH-keys because they are "insecure"
- my opinion on the matter? Find a new server host, because yours is obviously inept.â Matt Clark
3 hours ago
the computing centerÃÂ explicitly forbidsÃÂ SSH-keys because they are "insecure"
- my opinion on the matter? Find a new server host, because yours is obviously inept.â Matt Clark
3 hours ago
3
3
@Matt: "computing center" sounds more like an academic grid system, which doesn't have nearly as much competition I guess
â grawity
2 hours ago
@Matt: "computing center" sounds more like an academic grid system, which doesn't have nearly as much competition I guess
â grawity
2 hours ago
3
3
They are wrong. They have probably been forgetting to disable ssh keys when they expire accounts, so they decided that ssh keys are the problem.
â Joshua
2 hours ago
They are wrong. They have probably been forgetting to disable ssh keys when they expire accounts, so they decided that ssh keys are the problem.
â Joshua
2 hours ago
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
21
down vote
accepted
Connection reuse
SSHv2 allows the same authenticated connection to establish multiple 'channels' â interactive shell, batch command, SFTP, along with the secondary ones such as agent-forwarding or TCP-forwarding. Your server probably supports connection multiplexing by default. (If your admins complain, it's not caching your password anywhere â it's caching the whole connection.)
With OpenSSH you have ControlMaster
and ControlPath
options (-M and -S) to make use of this:
Start a 'master' SSH connection using
-M
. (Since you don't have a ControlPath in your config yet, you need to specify it in command line using-S
. It needs to live long, so I add the-fN
options to drop to background; they're technically optional otherwise.)$ ssh foo@bar.example.com -fNMS ~/.ssh/bar.socket
foo@bar.example.com's password:You're back to the local shell.
Start a new connection through the master:
$ ssh foo@bar.example.com -S ~/.ssh/bar.socket
You're in.
To make this useful for Git/rsync/SFTP, you need to set up
ControlPath
in your configuration, because you won't be able to specify-S
all the time:Host *
ControlPath ~/.ssh/S.%r@%h:%p
You can automate this â recent OpenSSH versions also have ControlPersist
which automatically establishes a master connection in background if there isn't one yet. This allows you to skip step 1 and just use ssh as you normally would.
Configuration in
~/.ssh/config
:Host *
ControlPath ~/.ssh/S.%r@%h:%p
ControlMaster auto
ControlPersist 15mFirst connection asks for password:
$ ssh foo@bar.example.com
foo@bar.example.com's password:
[foo@bar:~]$ exitThe second doesn't:
$ ssh foo@bar.example.com
[foo@bar:~]$ yay
To control the multiplex master (stop it or configure TCP forwardings), use the -O
option.
A similar method is supported by recent PuTTY versions.
thank you very much for this nice answer. google was not useful on this problem, as it always turned to ssh-keys and I did not know the right keywords. helped me a lot!
â user2667180
6 hours ago
add a comment |Â
up vote
4
down vote
Use sshpass
sshpass (github, man page) is a tool that automatically feeds the password to ssh. You can invoke it like so:
sshpass -p 'correct horse battery staple' ssh foo@host
However, this will show the password to any user on the client system in a process listing. A better way is to store the password in a file:
echo 'correct horse battery staple' > ~/.ssh/compute_password
chmod go-rw ~/.ssh/compute_password
sshpass -f ~/.ssh/compute_password ssh foo@host
This will read the password from ~/.ssh/compute_password
, and not show it in the process listing. You could put the command in a small shell script or a shell alias to avoid typing that full command. Sadly, I haven't found a way to do this from ~/.ssh/config
.
This approach is of course less secure than properly set up public key authentication, but you probably know that already.
It is also less secure than @grawity's answer about connection re-use, but it has the advantage of not having to enter the password interactively at all. You could consider @grawity's answer an alternative to pubkey auth with a passphrase and single sign-on (i.e. ssh-agent
). Then my answer would be an alternative to pubkey auth without a passphrase on the private key file.
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
21
down vote
accepted
Connection reuse
SSHv2 allows the same authenticated connection to establish multiple 'channels' â interactive shell, batch command, SFTP, along with the secondary ones such as agent-forwarding or TCP-forwarding. Your server probably supports connection multiplexing by default. (If your admins complain, it's not caching your password anywhere â it's caching the whole connection.)
With OpenSSH you have ControlMaster
and ControlPath
options (-M and -S) to make use of this:
Start a 'master' SSH connection using
-M
. (Since you don't have a ControlPath in your config yet, you need to specify it in command line using-S
. It needs to live long, so I add the-fN
options to drop to background; they're technically optional otherwise.)$ ssh foo@bar.example.com -fNMS ~/.ssh/bar.socket
foo@bar.example.com's password:You're back to the local shell.
Start a new connection through the master:
$ ssh foo@bar.example.com -S ~/.ssh/bar.socket
You're in.
To make this useful for Git/rsync/SFTP, you need to set up
ControlPath
in your configuration, because you won't be able to specify-S
all the time:Host *
ControlPath ~/.ssh/S.%r@%h:%p
You can automate this â recent OpenSSH versions also have ControlPersist
which automatically establishes a master connection in background if there isn't one yet. This allows you to skip step 1 and just use ssh as you normally would.
Configuration in
~/.ssh/config
:Host *
ControlPath ~/.ssh/S.%r@%h:%p
ControlMaster auto
ControlPersist 15mFirst connection asks for password:
$ ssh foo@bar.example.com
foo@bar.example.com's password:
[foo@bar:~]$ exitThe second doesn't:
$ ssh foo@bar.example.com
[foo@bar:~]$ yay
To control the multiplex master (stop it or configure TCP forwardings), use the -O
option.
A similar method is supported by recent PuTTY versions.
thank you very much for this nice answer. google was not useful on this problem, as it always turned to ssh-keys and I did not know the right keywords. helped me a lot!
â user2667180
6 hours ago
add a comment |Â
up vote
21
down vote
accepted
Connection reuse
SSHv2 allows the same authenticated connection to establish multiple 'channels' â interactive shell, batch command, SFTP, along with the secondary ones such as agent-forwarding or TCP-forwarding. Your server probably supports connection multiplexing by default. (If your admins complain, it's not caching your password anywhere â it's caching the whole connection.)
With OpenSSH you have ControlMaster
and ControlPath
options (-M and -S) to make use of this:
Start a 'master' SSH connection using
-M
. (Since you don't have a ControlPath in your config yet, you need to specify it in command line using-S
. It needs to live long, so I add the-fN
options to drop to background; they're technically optional otherwise.)$ ssh foo@bar.example.com -fNMS ~/.ssh/bar.socket
foo@bar.example.com's password:You're back to the local shell.
Start a new connection through the master:
$ ssh foo@bar.example.com -S ~/.ssh/bar.socket
You're in.
To make this useful for Git/rsync/SFTP, you need to set up
ControlPath
in your configuration, because you won't be able to specify-S
all the time:Host *
ControlPath ~/.ssh/S.%r@%h:%p
You can automate this â recent OpenSSH versions also have ControlPersist
which automatically establishes a master connection in background if there isn't one yet. This allows you to skip step 1 and just use ssh as you normally would.
Configuration in
~/.ssh/config
:Host *
ControlPath ~/.ssh/S.%r@%h:%p
ControlMaster auto
ControlPersist 15mFirst connection asks for password:
$ ssh foo@bar.example.com
foo@bar.example.com's password:
[foo@bar:~]$ exitThe second doesn't:
$ ssh foo@bar.example.com
[foo@bar:~]$ yay
To control the multiplex master (stop it or configure TCP forwardings), use the -O
option.
A similar method is supported by recent PuTTY versions.
thank you very much for this nice answer. google was not useful on this problem, as it always turned to ssh-keys and I did not know the right keywords. helped me a lot!
â user2667180
6 hours ago
add a comment |Â
up vote
21
down vote
accepted
up vote
21
down vote
accepted
Connection reuse
SSHv2 allows the same authenticated connection to establish multiple 'channels' â interactive shell, batch command, SFTP, along with the secondary ones such as agent-forwarding or TCP-forwarding. Your server probably supports connection multiplexing by default. (If your admins complain, it's not caching your password anywhere â it's caching the whole connection.)
With OpenSSH you have ControlMaster
and ControlPath
options (-M and -S) to make use of this:
Start a 'master' SSH connection using
-M
. (Since you don't have a ControlPath in your config yet, you need to specify it in command line using-S
. It needs to live long, so I add the-fN
options to drop to background; they're technically optional otherwise.)$ ssh foo@bar.example.com -fNMS ~/.ssh/bar.socket
foo@bar.example.com's password:You're back to the local shell.
Start a new connection through the master:
$ ssh foo@bar.example.com -S ~/.ssh/bar.socket
You're in.
To make this useful for Git/rsync/SFTP, you need to set up
ControlPath
in your configuration, because you won't be able to specify-S
all the time:Host *
ControlPath ~/.ssh/S.%r@%h:%p
You can automate this â recent OpenSSH versions also have ControlPersist
which automatically establishes a master connection in background if there isn't one yet. This allows you to skip step 1 and just use ssh as you normally would.
Configuration in
~/.ssh/config
:Host *
ControlPath ~/.ssh/S.%r@%h:%p
ControlMaster auto
ControlPersist 15mFirst connection asks for password:
$ ssh foo@bar.example.com
foo@bar.example.com's password:
[foo@bar:~]$ exitThe second doesn't:
$ ssh foo@bar.example.com
[foo@bar:~]$ yay
To control the multiplex master (stop it or configure TCP forwardings), use the -O
option.
A similar method is supported by recent PuTTY versions.
Connection reuse
SSHv2 allows the same authenticated connection to establish multiple 'channels' â interactive shell, batch command, SFTP, along with the secondary ones such as agent-forwarding or TCP-forwarding. Your server probably supports connection multiplexing by default. (If your admins complain, it's not caching your password anywhere â it's caching the whole connection.)
With OpenSSH you have ControlMaster
and ControlPath
options (-M and -S) to make use of this:
Start a 'master' SSH connection using
-M
. (Since you don't have a ControlPath in your config yet, you need to specify it in command line using-S
. It needs to live long, so I add the-fN
options to drop to background; they're technically optional otherwise.)$ ssh foo@bar.example.com -fNMS ~/.ssh/bar.socket
foo@bar.example.com's password:You're back to the local shell.
Start a new connection through the master:
$ ssh foo@bar.example.com -S ~/.ssh/bar.socket
You're in.
To make this useful for Git/rsync/SFTP, you need to set up
ControlPath
in your configuration, because you won't be able to specify-S
all the time:Host *
ControlPath ~/.ssh/S.%r@%h:%p
You can automate this â recent OpenSSH versions also have ControlPersist
which automatically establishes a master connection in background if there isn't one yet. This allows you to skip step 1 and just use ssh as you normally would.
Configuration in
~/.ssh/config
:Host *
ControlPath ~/.ssh/S.%r@%h:%p
ControlMaster auto
ControlPersist 15mFirst connection asks for password:
$ ssh foo@bar.example.com
foo@bar.example.com's password:
[foo@bar:~]$ exitThe second doesn't:
$ ssh foo@bar.example.com
[foo@bar:~]$ yay
To control the multiplex master (stop it or configure TCP forwardings), use the -O
option.
A similar method is supported by recent PuTTY versions.
edited 6 hours ago
answered 6 hours ago
grawity
219k32447513
219k32447513
thank you very much for this nice answer. google was not useful on this problem, as it always turned to ssh-keys and I did not know the right keywords. helped me a lot!
â user2667180
6 hours ago
add a comment |Â
thank you very much for this nice answer. google was not useful on this problem, as it always turned to ssh-keys and I did not know the right keywords. helped me a lot!
â user2667180
6 hours ago
thank you very much for this nice answer. google was not useful on this problem, as it always turned to ssh-keys and I did not know the right keywords. helped me a lot!
â user2667180
6 hours ago
thank you very much for this nice answer. google was not useful on this problem, as it always turned to ssh-keys and I did not know the right keywords. helped me a lot!
â user2667180
6 hours ago
add a comment |Â
up vote
4
down vote
Use sshpass
sshpass (github, man page) is a tool that automatically feeds the password to ssh. You can invoke it like so:
sshpass -p 'correct horse battery staple' ssh foo@host
However, this will show the password to any user on the client system in a process listing. A better way is to store the password in a file:
echo 'correct horse battery staple' > ~/.ssh/compute_password
chmod go-rw ~/.ssh/compute_password
sshpass -f ~/.ssh/compute_password ssh foo@host
This will read the password from ~/.ssh/compute_password
, and not show it in the process listing. You could put the command in a small shell script or a shell alias to avoid typing that full command. Sadly, I haven't found a way to do this from ~/.ssh/config
.
This approach is of course less secure than properly set up public key authentication, but you probably know that already.
It is also less secure than @grawity's answer about connection re-use, but it has the advantage of not having to enter the password interactively at all. You could consider @grawity's answer an alternative to pubkey auth with a passphrase and single sign-on (i.e. ssh-agent
). Then my answer would be an alternative to pubkey auth without a passphrase on the private key file.
add a comment |Â
up vote
4
down vote
Use sshpass
sshpass (github, man page) is a tool that automatically feeds the password to ssh. You can invoke it like so:
sshpass -p 'correct horse battery staple' ssh foo@host
However, this will show the password to any user on the client system in a process listing. A better way is to store the password in a file:
echo 'correct horse battery staple' > ~/.ssh/compute_password
chmod go-rw ~/.ssh/compute_password
sshpass -f ~/.ssh/compute_password ssh foo@host
This will read the password from ~/.ssh/compute_password
, and not show it in the process listing. You could put the command in a small shell script or a shell alias to avoid typing that full command. Sadly, I haven't found a way to do this from ~/.ssh/config
.
This approach is of course less secure than properly set up public key authentication, but you probably know that already.
It is also less secure than @grawity's answer about connection re-use, but it has the advantage of not having to enter the password interactively at all. You could consider @grawity's answer an alternative to pubkey auth with a passphrase and single sign-on (i.e. ssh-agent
). Then my answer would be an alternative to pubkey auth without a passphrase on the private key file.
add a comment |Â
up vote
4
down vote
up vote
4
down vote
Use sshpass
sshpass (github, man page) is a tool that automatically feeds the password to ssh. You can invoke it like so:
sshpass -p 'correct horse battery staple' ssh foo@host
However, this will show the password to any user on the client system in a process listing. A better way is to store the password in a file:
echo 'correct horse battery staple' > ~/.ssh/compute_password
chmod go-rw ~/.ssh/compute_password
sshpass -f ~/.ssh/compute_password ssh foo@host
This will read the password from ~/.ssh/compute_password
, and not show it in the process listing. You could put the command in a small shell script or a shell alias to avoid typing that full command. Sadly, I haven't found a way to do this from ~/.ssh/config
.
This approach is of course less secure than properly set up public key authentication, but you probably know that already.
It is also less secure than @grawity's answer about connection re-use, but it has the advantage of not having to enter the password interactively at all. You could consider @grawity's answer an alternative to pubkey auth with a passphrase and single sign-on (i.e. ssh-agent
). Then my answer would be an alternative to pubkey auth without a passphrase on the private key file.
Use sshpass
sshpass (github, man page) is a tool that automatically feeds the password to ssh. You can invoke it like so:
sshpass -p 'correct horse battery staple' ssh foo@host
However, this will show the password to any user on the client system in a process listing. A better way is to store the password in a file:
echo 'correct horse battery staple' > ~/.ssh/compute_password
chmod go-rw ~/.ssh/compute_password
sshpass -f ~/.ssh/compute_password ssh foo@host
This will read the password from ~/.ssh/compute_password
, and not show it in the process listing. You could put the command in a small shell script or a shell alias to avoid typing that full command. Sadly, I haven't found a way to do this from ~/.ssh/config
.
This approach is of course less secure than properly set up public key authentication, but you probably know that already.
It is also less secure than @grawity's answer about connection re-use, but it has the advantage of not having to enter the password interactively at all. You could consider @grawity's answer an alternative to pubkey auth with a passphrase and single sign-on (i.e. ssh-agent
). Then my answer would be an alternative to pubkey auth without a passphrase on the private key file.
answered 2 hours ago
marcelm
1713
1713
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1362894%2fcache-the-password-if-ssh-keys-are-forbidden%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
9
the computing centerÃÂ explicitly forbidsÃÂ SSH-keys because they are "insecure"
- my opinion on the matter? Find a new server host, because yours is obviously inept.â Matt Clark
3 hours ago
3
@Matt: "computing center" sounds more like an academic grid system, which doesn't have nearly as much competition I guess
â grawity
2 hours ago
3
They are wrong. They have probably been forgetting to disable ssh keys when they expire accounts, so they decided that ssh keys are the problem.
â Joshua
2 hours ago