tazinblack Veteran
Joined: 23 Jan 2005 Posts: 1146 Location: Baden / Germany
|
Posted: Tue Jun 26, 2018 8:38 am Post subject: sshpass mit anonymen pipes |
|
|
Hallo zusammen,
ich hab hier diverse Geräte im Netzwerk, bei denen ich mich zwar per SSH anmelden kann, aber die kein pubkey auth unterstützen.
Von diesen Geräten möchte ich gerne die Konfiguration regelmäßig und automatisiert sichern, was entweder per FTP oder TFTP vom Gerät selber aus geht.
Dazu möchte ich sshpass verwenden.
In der Manpage steht
Code: |
Options
If no option is given, sshpass reads the password from the standard input. The user may give at most one
alternative source for the password:
-ppassword
The password is given on the command line. Please note the section titled "SECURITY CONSIDERATIONS".
-ffilename
The password is the first line of the file filename.
-dnumber
number is a file descriptor inherited by sshpass from the runner. The password is read from the open
file descriptor.
-e The password is taken from the environment variable "SSHPASS".
SECURITY CONSIDERATIONS
First and foremost, users of sshpass should realize that ssh's insistance on only getting the password inter‐
actively is not without reason. It is close to impossible to securely store the password, and users of sshpass
should consider whether ssh's public key authentication provides the same end-user experience, while involving
less hassle and being more secure.
The -p option should be considered the least secure of all of sshpass's options. All system users can see the
password in the command line with a simple "ps" command. Sshpass makes a minimal attempt to hide the password,
but such attempts are doomed to create race conditions without actually solving the problem. Users of sshpass
are encouraged to use one of the other password passing techniques, which are all more secure.
In particular, people writing programs that are meant to communicate the password programatically are encour‐
aged to use an anonymous pipe and pass the pipe's reading end to sshpass using the -d option.
|
Um die möglichst sicherste Variante zu verwenden würde ich gerne die -d Option verwenden. Aber da steh ich etwas auf dem Schlauch wie das gehen soll.
Leider ist kein passendes Beispiel aufzutreiben.
Vielleicht gibt es hier einen Profi der weiterhelfen kann _________________ Gruß / Regards
tazinblack
_______________________________________________________
what's the point in being grown up if you can't be childish sometimes |
|