Hi!
I'm trying to copy a set of files from server1 to server2. I'm doing this from server3. Using the sshpass functionality, can I accomplish this?
This is what I have so far, but this doesn't work:
user@server3#~ sshpass -p 'password' scp user1@server1:/path/from/* user1@server2:/path/to/
Obviously, the 'password' is same for user1@server1 and user1@server2.
Thanks for your help in advance!
You can:
You do realize that your password is visible to the entire system when you do this, yes?
ssh makes it a pain to pass around password because doing so is a really bad idea.
I have a regular copy I do between servers. So I just set up a public/private key pair to do the job. On one computer, I did:
ssh-keygen -t rsa
Then I copied the public key to the other computer:
ssh-copy-id -i ~/.ssh/id_rsa.pub remoteuser@remote_host
Now when I ssh from the local computer on a specific user account to the remote computer with a specific user account, it no longer prompts for a password for ssh.
Then I can just do stuff like this:
scp remoteuser@remote_host:/home/remoteuser/somesortof.log /home/localuser/somesortof.log
In this command line, I'm copying from the second computer to the first computer (where I created the pub/pvt key pair).
The nice thing here is no 3rd computer needed. And no passwords being passed or exposed.
Sorry for the late reply!
Corona688: No, I don't type the password in the script, rather I request the user to type the password, read it as a variable and use that in the sshpass -p "$pwd"
DGPickett: I don't understand this, can you show an example?
//use the ssh cat twice to copy files through your host, or//
nbsparks: Thanks, I know about ssh-keygen, there's just too many servers for which I can't just go and do this!
...and it is visible to the entire system when you do so.
Why not just let ssh ask for its own password?
Sorry if this is a stupid question, I'm a novice at this, but how is that visible to the entire system? I'm getting the password one time during the execution of the script. Here's a bit from my script:
read -s -p "Enter user1's server password: " pwd
sshpass -p "$pwd" user1@server1 somecmd
sshpass -p "$pwd" user1@server2 somecmd
The reason why I'm asking the user to enter the password is because I have multiple lines where I have to login into different servers (with same user, ofcourse), so I don't want the user to enter the password for multiple times.
Do you think reading the password using the above way will still be visible to the entire system?
You can view the commandline arguments of running things via ps aux
The safest way to pass a password into something is a terminal, which is why traditional ssh insists upon it.
Some sort of stream would be better than a commandline arg. Can sshpass read a password from stdin?
Oh! I didn't know about that! So, if my script runs for say 1 minute, will the password be visible for that one minute in
ps aux
or for the entire session? (Sorry again, if this is a stupid question!)
I'll try to avoid sshpass from now, but I'm not sure if sshpass can read a password from stdin.
Try it and see?
It's possible that sshpass makes some effort to conceal the password once its passed. It could exec() again with different parameters and blank it. But even so, there'd be an unavoidable eyeblink when the password was exposed. Anyone could extract the password with obsessive logging.
These weaknesses are well-known, so sshpass has many safer options fortunately. sshpass can read a file, according to its manpage, so you could do this:
OLDMASK=$(umask)
umask 077 # Force rw------- permissions on /tmp/$$
exec 5>/tmp/$$ #Create temp file /tmp/$$ and write with FD 5
exec 6</tmp/$$ # Read from temp file /tmp/$$ with FD 6
rm /tmp/$$ # DELETE tempfile /tmp/$$ so nothing else can get it
umask $OLDMASK # Restore umask
cat <<EOF >&5 # Finish writing to /tmp/$$
$PASSWORD
EOF
exec 5>&- # Close FD 5
sshpass -d6 ...
exec 6<&- # Close FD 6
Which should protect the password much better. The temp file won't even be listed in /tmp/ while sshpass is running.
I'll try this first thing tomorrow! 
Thanks for your help and I learned a lot!