How Can I Automate SSH Login?

SSH single sign-on is usually achieved with public key authentication and an authentication agent. You could easily add your test VM key to an existing auth agent (see example below). Other methods such as gssapi/kerberos exist but are more complex.

sshpass

In situations where password is the only authentication method available, sshpass can be used to automatically enter the password. In all three options, the password is visible or stored in plaintext at some point:

Anonymous pipe (recommended by sshpass)

# Create a pipe
PIPE=$(mktemp -u)
mkfifo -m 600 $PIPE
# Attach it to file descriptior 3
exec 3<>$PIPE
# Delete the directory entry
rm $PIPE
# Write your password in the pipe
 echo 'my_secret_password' >&3
# Connect with sshpass -d
sshpass -d3 ssh user@host

# Close the pipe when done
exec 3>&-

It is quite cumbersome in bash, arguably easier with programming languages. Another process could attach to your pipe/fd before the password is written. The window of opportunity is quite short and limited to your processes or root.

Environment variable

# Set your password in an environment variable
 export SSHPASS='my_secret_password'
# Connect with sshpass -e
sshpass -e ssh user@host

You and root can read your process' environment variables (i.e. your password) while sshpass is running (cat /proc/<pid>/environ | tr '\0' '\n' | grep ^SSHPASS=). The window of opportunity is much longer but still limited to your own processes or root, not other users.

Command-line argument (least secure)

 sshpass -p my_secret_password ssh user@host

This is convenient but less secure as described in the man page. Command line arguments are visible to all users (e.g. ps -ef | grep sshpass). sshpass attempts to hide the argument, but there is still a window during which all users can see your password passed by argument.

Side note

Set your bash HISTCONTROL variable to ignorespace or ignoreboth and prefix your sensitive commands with a space. They won't be saved in history.


SSH public key authentication

# Generate a key pair
# Do NOT leave the passphrase empty
ssh-keygen
# Copy it to the remote host (added to .ssh/authorized_keys)
ssh-copy-id user@host

The passphrase is very important. Anyone somehow obtaining the private key file won't be able to use it without the passphrase.

Setup the SSH authentication agent

# Start the agent
eval `ssh-agent`
# Add the identity (private key) to the agent
ssh-add /path/to/private-key
# Enter key passphrase (one time only, while the agent is running)

Connect as usual

ssh user@host

The advantage is that your private key is encrypted and you only need to enter its passphrase once (via a safer input method too).

But, really, how far do you have to go? This is where risk management comes into play. Simplistically, this is the method of balancing expected risk against loss. Sysadmins do this when we decide which off-site location we want to put backups; bank safety deposit box vs an out-of-region datacenter. Figuring out how much of this list needs following is an exercise in risk-management.

In this case the assessment will start with a few things:

  • The expected skill level of the departed
  • The access of the departed
  • The expectation that evil was done
  • The potential damage of any evil
  • Regulatory requirements for reporting perpetrated evil vs preemptively found evil. Generally you have to report the former, but not the later.

The decision of how far down the above rabbit-hole to dive will depend on the answers to these questions. For routine admin departures where expectation of evil is very slight, the full circus is not required; changing admin-level passwords and re-keying any external-facing SSH hosts is probably sufficient. Again, corporate risk-management security posture determines this.

For admins who were terminated for cause, or evil cropped up after their otherwise normal departure, the circus becomes more needed. The worst-case scenario is a paranoid BOFH-type who has been notified that their position will be made redundant in 2 weeks, as that gives them plenty of time to get ready; in circumstances like these Kyle's idea of a generous severance package can mitigate all kind of problems. Even paranoids can forgive a lot of sins after a check containing 4 months pay arrives. That check will probably cost less than the cost of the security consultants needed to ferret out their evil.

But ultimately, it comes down to the cost of determining if evil was done versus the potential cost of any evil actually being done.

If you have any comments, feel free to post them below or find us on Twitter and Facebook!

Until next time!

January 24 2020

Add or review comments

Please leave your comment

Existing comments

Comments 0