How To Hide Your Shell Passwords with sshpass on Linux
Shell scripts are an integral part of Linux but can often require passwords that shouldn't be hard-coded for security reasons. Instead, sshpass is a non-interactive tool specifically created for password automation in shell scripts. Here's how to install and use sshpass on Ubuntu-based and Fedora-based distributions to put a password in your Bash script.
How Can I Install sshpass?
You'll need to run a Linux distribution to use sshpass. I will demonstrate using Ubuntu Server 22.04, but the app is also available for Fedora distributions. You'll need to have a user who has sudo permissions.
Open a terminal and enter the following command to install sshpass in Ubuntu:
This command is for Fedora-based Distributions:
This is the end of the installation. Pretty simple, wasn't it?
How Can I Use sshpass?
We will stick to our backup script. We must first create an encrypted password file. Create the file using the command:
You can name the file however you want, but I suggest hiding it by adding a period to the beginning.
Add the password of the shell script account in that file and save it using the Ctrl x keyboard shortcut.
Use the following to encrypt your file:
gpg -c ~/.password
You will be asked to enter and confirm a password.
This command creates a file named .password.gpg which contains the encrypted password. The /.password can be deleted.
How Do I Create the Shell Script?
We're going to stick with our simple backup script. To demonstrate the sshpass commands, I will first show you how it works. A rsync back command that requires authentication looks like this:
sshpass -p "PASSWORD" rsync -av /backup USER@SERVER:/home/USER/backup
Where PASSWORD represents the remote user's password, USER is the remote username, and SERVER is the IP address of the remote server. The sshpass App will pass the password on to the rsync Command, and everything should be working as expected.
You don't want that password hard-coded, do you? You can avoid this by being creative in your script. Here's how it might look:
gpg -d -q ~/.password.gpg | sshpass rsync -av /backup USER@SERVER:/home/USER/backup
The SERVER parameter is the IP or domain address of the remote server.
We've decrypted the .password.gpg and sent the output to sshpass, which is then used by rsync for connecting to the remote server to backup.
It is a little tricky, but it's effective!
Our Final Thoughts on sshpass and Its Security Implications for Linux Users
Using sshpass will add an extra layer of security and allow you to automate scripts. While sshpass offers a convenient way to automate password-dependent scripts and enhance security by avoiding hard-coded passwords, it raises concerns. For instance, what happens if an attacker gains access to the machine and obtains the script? They would also have access to the encrypted password file, potentially compromising the security of the system. This highlights the importance of implementing additional security measures, such as proper file permissions and encryption protocols.
Need additional guidance installing and using sshpass? Connect with us on X @lnxsec - we're here to help!