Weblog entry #2 for chrisrend
See all weblog entries made by chrisrend.
I used to use the sftp -b option with a password but now it looks like sftp batchmode disables the password authentication at the prompt automatically. I don't want to automate the transfers completely with a key and cron. I just dont want to have to enter the same commands everytime and still want to authenticate via a password entered at the prompt by manually running sftp and entering a password. Is there any way I can still do this with the updated sftp using a command file? I have searched the web and found no solution, any help is appreciated thanks!
Chris
Comments on this Entry
- Ssh login expect script to supply password
http://bash.cyberciti.biz/security/sshlogin.exp.php
[ Parent | Reply to this comment ]
[ Send Message | View dkg's Scratchpad | View Weblogs ]
If you were going to use expect, you'd need to use expect to automate the entire process, including all the sftp commands. This probably means rewriting the batchfile, which i don't think the author wants to do.
[ Parent | Reply to this comment ]
After looking at expect more there should be a way to get expect to just prompt for a password instead of putting it on the command line right? I don’t know I guess I have some more research to do. Thanks again!
[ Parent | Reply to this comment ]
[ Send Message | View dkg's Scratchpad | View Weblogs ]
I don't really want to use a key pair because if one machine is compromised the second one is easily accessibleWhat makes you say this? If your private key is stored with a strong passphrase (and why wouldn't it be?), it should not be an easy thing for someone who compromises the host containing the private key to crack it open. Without cracking the passphrase on the private key, i don't see how the attacker can gain easy access to the second machine. Can you explain?
I tend to think that keeping a one or two private keys on a single well-maintained, well-monitored personal computer is a better choice than dozens of passwords scattered everywhere. And it's probably a better choice than typing passwords in the clear into remote machines, as well, since a compromised remote account can just sniff the typed password and record it for future use.
Do you use ssh-agent in the normal way? The way i proposed above is a very specialized way to use that tool, trying to match what seemed like the user experience you were looking for. I find that using ssh-agent, when configured to prompt you to confirm each use, is the most convenient and most secure way i've used ssh yet. If only i could combine it with a reasonable key revocation and update infrastructure... (but that's another post)
[ Parent | Reply to this comment ]
[ Send Message | View dkg's Scratchpad | View Weblogs ]
I recommend setting up an ssh keypair (as discussed on this site recently), and using an ssh agent to manage it. If you really want to force yourself to type a password on each connection, set up the keypair, and then instead of invoking
do:Using the agent this way lets the sftp process see the activity as "non-interactive", while you still have to give the agent access to your key via a password.[ Parent | Reply to this comment ]