non-interactive ssh password authentication

[rpodgorny]

Hi everybody,

this is what I need and was unable to manage:

I do know a ssh server name.
I do know a username.
I do know a password.

Is there a way to get rid of the annoying "password:" prompt when logging in? I didn't find any argument which shall be supposed to tell ssh client to send the password automaticaly. Something like "ssh host -l user -p pass" or "ssh user:pass@host".

I know the "authorized_keys" magic but it's not an option for me because I need a passwordless access from random computers. Setting null password on the server "user::1000:100: ..." didn't help... :-(

Any ideas?

[shadow255]

[puggy]

Extending what shadow255 said about keys. I'm assuming shadow255 is talking about creating a pair of keys with no passphrase. Instead create a pair of keys and use a passphrase. Then you can use something called keychain which basically prevents you from having to type in your passphrase for the key every time, by remembering. This remembering will last until they system is rebooted. or you kill the ssh-agent process running on your machine.

http://www.gentoo.org/proj/en/keychain.xml

Puggy
_________________
Where there's open source , there's a way.

[rpodgorny]

Thanks a lot for your tips but unfortunately, it's still no solution for me... :-(

What exactly do I want:

I wan to set up a set of computers with passwordless ssh access to be used as a part of dvd::rip cluster. Unauthorized access would be filtered out by iptables (the whole 192.168.0.* network is "safe") but adding a special entry for every single computer would be very annoying (it's still over 200 machines with different users and their keys can change after reinstalls)... :-(

I think that extending ssh client to support automated password entering would be no security risk. That's why I'm so surprised it's not implemented. Don't you know about any "unofficial hack" to manage that?

Anyway. Why doesn't ssh support empty passwords? Or am I just so stupid so I cannot enable it?

Ssh seems to be a cute security thing but it's way too user-unfriendly to me. I hope I'll change my opinion soon... :-)

There has to be a way!

[puggy]

[rpodgorny]

As I'm reading my own posts, the sentences seem a bit awkward even to myself so I'll try to make it even more simple :-)

I need to set up a machine and give users some info (address, username, password) just ONCE.

The users are forced to use ssh (by dvd::rip) in non-interactive way.

[puggy]

Let me get this straight...
You want to use a load of machines to do processing for you on ripping DVDs?
You want to login to those machines without using a password?
You want multiple machines to be able to use the cluster to rip DVDs?

So basically what your saying is that dvd::rip uses ssh to connect to the machines its using as its processing power?
It is a huge security risk if you do not at least have some sort of password protection on the ssh servers your using as IPs can be easily faked for your IPtable protection. The keychain method would work for you as long as you simply carry your private key with you or keep it on a server somewhere for instant download to the machine your using. Of course, that local computer would have to have keychain installed (or ssh-agent at least).
The benefit of keychain is that you would never need to type a password for any machine your logging into as soon as you've put your key in the authorized_hosts file on that machine.
Multiple users can also be achieved by distributing either many public keys to the servers or by distributing your private key and passphrase.
I know of know way to be able to specify a single line ssh login including password as this is an effort to stop passwords being typed unmasked on the command line I expect.

I hope this helps.

Puggy
_________________
Where there's open source , there's a way.

[rpodgorny]

Yeah, exactly...

I just want to install that machine and put a note on the local intranet:

"Hi everybody from my network. Everyone is free to use computer XYZ for transcoding movies. Your ssh access is limited to executing transcode only. The username is foo, password is bar. Just fill in the line in dvd::rip config with 'ssh XYZ -l foo -p bar' and be happy."

If there is a password or not isn't important. It's just about non-interactivity. And important note: 99% of the users are just dummies and they know s..t about ssh-agent and tools like that :-(

[notkevin]

[puggy]

[rpodgorny]

[rpodgorny]

[dermot]

Why not just write an expect script and distribute that to your users?
_________________
Dermot

I bought some rock star ashes from the back of Rolling Stone
I don't think he would've minded - he couldn't sell his soul

[StuBear]

[rpodgorny]

[rpodgorny]

[TenPin]

I use key based authentication on my heavily firewalled network (which is also inside a heavily firewalled uni network).

Here are the commands to setup key based authentication where local is the machine you are logging in from and remote is where local is logging in to.

[StuBear]

[rpodgorny]

[notkevin]