159

I'm writing a C Shell program that will be doing su or sudo or ssh. They all want their passwords in console input (the TTY) rather than stdin or the command line.

Does anybody know a solution?

Setting up password-less sudo is not an option.

could be an option, but it's not present on my stripped-down system.

codeforester
  • 39,467
  • 16
  • 112
  • 140
n-alexander
  • 14,663
  • 12
  • 42
  • 43

22 Answers22

233

For sudo there is a -S option for accepting the password from standard input. Here is the man entry:

    -S          The -S (stdin) option causes sudo to read the password from
                the standard input instead of the terminal device.

This will allow you to run a command like:

echo myPassword | sudo -S ls /tmp

As for ssh, I have made many attempts to automate/script it's usage with no success. There doesn't seem to be any build-in way to pass the password into the command without prompting. As others have mentioned, the "expect" utility seems like it is aimed at addressing this dilemma but ultimately, setting up the correct private-key authorization is the correct way to go when attempting to automate this.

Jesse Webb
  • 43,135
  • 27
  • 106
  • 143
  • 2
    Luckily, Ruby has a built-in SSH client which allows you to specify the password. You could try ruby -e "require 'net/ssh' ; Net::SSH.start('example.com', 'test_user', :password => 'secret') do |ssh| puts 'Logged in successfully' ; while cmd=gets ; puts ssh.exec!(cmd) ; end end" – user1158559 Nov 16 '12 at 09:45
  • 18
    I hate to be a party pooper here, but doing this can make your password show up in a process list. I was trying to determine a better way and came across this article and was surprised no one had pointed it out. Great solution, but beware of the risks. – Matt Nov 03 '14 at 21:14
  • About ssh, have you tried passing password in connection string? like `nonroot:yourpassword@hostname.com`? Of course things are much easier if you use key auth and key manager. – klh Jan 04 '15 at 10:54
  • 16
    Avoid password showing up in process list or log files by putting it in a file and using cat; `'cat pw | sudo -S `, and later `rm pw`. – CAB Mar 24 '16 at 16:43
  • Another way would be to use netcat and deliver the password over a socket - `nc -l 12345 | sudo -S `. On the sending side; `echo myPassord | nc 12345`. This just moves the password handling problem, but presumably to a master console where you have more options. – CAB Mar 24 '16 at 17:00
  • This solution is working for Linux only, any suggestion to use same with Unix. – Abhishek Yadav Aug 03 '16 at 05:39
  • `ssh -t -t me@myserver.io << EOF` `echo SOMEPASSWORD | sudo -S do something` `sudo do something else` `exit` `EOF` – Ed Bishop Feb 17 '17 at 14:06
38

I wrote some Applescript which prompts for a password via a dialog box and then builds a custom bash command, like this:

echo <password> | sudo -S <command>

I'm not sure if this helps.

It'd be nice if sudo accepted a pre-encrypted password, so I could encrypt it within my script and not worry about echoing clear text passwords around. However this works for me and my situation.

mlambie
  • 7,467
  • 6
  • 34
  • 41
33

For ssh you can use sshpass: sshpass -p yourpassphrase ssh user@host.

You just need to download sshpass first :)

$ apt-get install sshpass
$ sshpass -p 'password' ssh username@server
belka
  • 1,480
  • 1
  • 18
  • 31
Edward
  • 339
  • 3
  • 2
17

For sudo you can do this too:

sudo -S <<< "password" command
Jahid
  • 21,542
  • 10
  • 90
  • 108
12

Maybe you can use an expect command?:

expect -c 'spawn ssh root@your-domain.com;expect password;send "your-password\n";interact

That command gives the password automatically.

the Tin Man
  • 158,662
  • 42
  • 215
  • 303
adhown
  • 421
  • 3
  • 8
  • 17
  • Looks nice, but how can I enable the expect command on a maschine without root permissions ? – Radon8472 Jul 11 '18 at 13:43
  • 1
    @Radon8472 An executable may be added to ~/bin if you don't have permissions to install it. If your system does not automatically add ~/bin to your PATH, you may do so manually with export PATH="$PATH:~/bin" or add that command to your profile to do it automatically. If you don't want to change your PATH, you may instead execute the command using its absolute path: ~/bin/expect [arguments] Be sure to remember to set its executable bit: chmod +x ~/bin/expect – StarCrashr Sep 27 '18 at 11:43
  • Very helpful. It can be combined with retrieving password from safe source (rather than typing it literally) using [this answer](https://stackoverflow.com/a/36700483). The final result in my case was `MY_PASSWORD=$(some_pipeline_retrieving_password) && expect -c "spawn su - my_user;expect \"Password:\";send \"$MY_PASSWORD\n\";interact"` (note the combination of single quotes of `expect -c` command and double quotes inside didn't work for me). – Tomáš Záluský Mar 03 '23 at 12:13
12

I've got:

ssh user@host bash -c "echo mypass | sudo -S mycommand"

Works for me.

the Tin Man
  • 158,662
  • 42
  • 215
  • 303
David Dawson
  • 156
  • 1
  • 4
  • 2
    Didn't work for me. still ssh prompts for the password. – AKS Nov 21 '14 at 18:13
  • Excellent, finally something I can use! Thanks. I use this within a bash script that starts an ssh session and passes sudo commands to the client. My script has lines the resolve to: ssh -t username@hostname bash -c "sudo echo fartjuice" – James T Snell Jan 05 '15 at 17:38
11

The usual solution to this problem is setuiding a helper app that performs the task requiring superuser access: http://en.wikipedia.org/wiki/Setuid

Sudo is not meant to be used offline.

Later edit: SSH can be used with private-public key authentication. If the private key does not have a passphrase, ssh can be used without prompting for a password.

diciu
  • 29,133
  • 4
  • 51
  • 68
10

This can be done by setting up public/private keys on the target hosts you will be connecting to. The first step would be to generate an ssh key for the user running the script on the local host, by executing:

ssh-keygen
Enter file in which to save the key (/home/myuser/.ssh/id_rsa): <Hit enter for default>
Overwrite (y/n)? y

Then enter a blank password. After that, copy your ssh key onto the target host which you will be connecting to.

ssh-copy-id <remote_user>@<other_host>
remote_user@other_host's password: <Enter remote user's password here>

After registering the ssh keys, you would be able to perform a silent ssh remote_user@other_host from you local host.

Byob
  • 452
  • 6
  • 11
8

Take a look at expect linux utility.

It allows you to send output to stdio based on simple pattern matching on stdin.

the Tin Man
  • 158,662
  • 42
  • 215
  • 303
Marko
  • 30,263
  • 18
  • 74
  • 108
8

When there's no better choice (as suggested by others), then man socat can help:

   (sleep 5; echo PASSWORD; sleep 5; echo ls; sleep 1) |
   socat - EXEC:'ssh -l user server',pty,setsid,ctty

          EXEC’utes an ssh session to server. Uses a pty for communication
          between socat and ssh, makes it ssh’s  controlling  tty  (ctty),
          and makes this pty the owner of a new process group (setsid), so
          ssh accepts the password from socat.

All of the pty,setsid,ctty complexity is necessary and, while you might not need to sleep as long, you will need to sleep. The echo=0 option is worth a look too, as is passing the remote command on ssh's command line.

Martin Dorey
  • 2,944
  • 2
  • 24
  • 16
2
echo <password> | su -c <command> <user>

This is working.

DevOz
  • 77
  • 1
  • 1
    This is the only one works for me in Fedora. People downvote answers just because they don't work in their situation? – Hangchen Yu Mar 05 '17 at 00:17
  • 3
    "su: must be run from a terminal" (RPi1B, Raspbian) – notme1560 Apr 12 '17 at 00:04
  • 1
    Unfortunately this doesn't in recent versions of `su`, which reads password from _stdio_ instead. – moutonjr Oct 07 '19 at 08:00
  • More than 12 years later, unfortunately, that trick doesn't work any more, at least on the Suse I'm using now. – Pierre Feb 09 '23 at 10:58
  • I have tested this on Ubuntu 20.04 and Arch Linux (so, very latest software) and OpenSuse Leap just now in Docker and it worked great on all. @Pierre could you please clarify what you mean by "doesn't work"? And which version are you using? Can you post your `su --version` if it really doesn't work? – phil294 Jul 18 '23 at 06:38
  • At the moment, I don't have access to the machine where I had this problem, so I can't tell you which `su` version is used, unfortunately. However, the distro is a Suse SLES 12; maybe there is some kind of hardening to avoid this behaviour (Suse is kind of weird...)? Nonetheless, using `expect` worked like a charm. – Pierre Aug 10 '23 at 10:39
2
ssh -t -t me@myserver.io << EOF
echo SOMEPASSWORD | sudo -S do something
sudo do something else
exit
EOF
Charles Duffy
  • 280,126
  • 43
  • 390
  • 441
Ed Bishop
  • 770
  • 8
  • 19
  • If you can login as user with ssh key, for sudo access is fine: ssh -t user@host "echo mypassword | sudo -S sudocommand" – Jack Apr 07 '18 at 07:33
1

Set SSH up for Public Key Authentication, with no pasphrase on the Key. Loads of guides on the net. You won't need a password to login then. You can then limit connections for a key based on client hostname. Provides reasonable security and is great for automated logins.

1

a better sshpass alternative is: passh https://github.com/clarkwang/passh

Login to a remote server

 $ passh -p password ssh user@host

Run a command on remote server

 $ passh -p password ssh user@host date

other methods to pass the password

-p The password (Default: `password')

-p env: Read password from env var

-p file: Read password from file

here I explained why it is better than sshpass, and other solutions.

Community
  • 1
  • 1
Badr Elmers
  • 1,487
  • 14
  • 20
1

You can also pass various parameters as follows:

echo password | echo y | sudo -S pacman -Syu

(Although that's a bad idea, it's just an example)

nivalderramas
  • 79
  • 9
0

I had the same problem. dialog script to create directory on remote pc. dialog with ssh is easy. I use sshpass (previously installed).

   dialog --inputbox "Enter IP" 8 78 2> /tmp/ip

   IP=$(cat /tmp/ip)


   dialog --inputbox "Please enter username" 8 78 2> /tmp/user

   US=$(cat /tmp/user)


   dialog --passwordbox "enter password for \"$US\" 8 78 2> /tmp/pass

   PASSWORD = $(cat /tmp/pass)


   sshpass -p "$PASSWORD" ssh $US@$IP mkdir -p /home/$US/TARGET-FOLDER


   rm /tmp/ip

   rm /tmp/user

   rm /tmp/pass

greetings from germany

titus

Jahid
  • 21,542
  • 10
  • 90
  • 108
titus
  • 1
  • 1
0

Building on @Jahid's answer, this worked for me on macOS 10.13:

ssh <remote_username>@<remote_server> sudo -S <<< <remote_password> cat /etc/sudoers
JS.
  • 14,781
  • 13
  • 63
  • 75
0

I once had a use case where I needed to run Sudo and ssh in the same command without stdin specifying all the variables needed.

This is the command I used

echo sudopassword | sudo -S -u username sshpass -p  extsshpassword ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no  username@ipaddress " CMD on external machine"

Breaking that command into pieces!

This will allow you to run commands through your machine using Superuser:

echo password | sudo -S -u username

This will allow you to pass ssh password and execute commands on external machines:

sshpass -p  sshpassword  ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no  username@ipaddress " CMD on external machine"

make sure you install the sudo and openssh packages on your machine.

Affes Salem
  • 1,303
  • 10
  • 26
-1

One way would be to use read -s option .. this way the password characters are not echoed back to the screen. I wrote a small script for some use cases and you can see it in my blog: http://www.datauniv.com/blogs/2013/02/21/a-quick-little-expect-script/

Avi
  • 1
-1

USE:

echo password | sudo command

Example: 

echo password | sudo apt-get update; whoami

Hope It Helps..

Sarat Chandra
  • 5,636
  • 34
  • 30
-3

You can provide password as parameter to expect script.

Marko
  • 30,263
  • 18
  • 74
  • 108
-12
su -c "Command" < "Password"

Hope it is helpful.

the Tin Man
  • 158,662
  • 42
  • 215
  • 303
Shankar
  • 1
  • 1