spraff spraff - 12 days ago 9
Linux Question

ssh with SSH_ASKPASS always fails

I want to batch-run a command via ssh and have the calling machine determine the exit status and output of that command, but where the password is known in advance and not typed by hand.

This seems to be what I want, but it doesn't work.

Pre-flight check:

#> ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null testuser@localhost 'echo here' && echo ok || echo no
Warning: Permanently added '[localhost]:22' (ECDSA) to the list of known hosts.
testuser@localhost's password:
here
ok


Good start. Now bundle this with SSH_ASKPASS

#!/bin/bash

u="testuser"
p="testpassword"

ask="/tmp/ask"

echo "echo $p" > $ask
chmod +x $ask

SSH_ASKPASS=$ask
DISPLAY=localhost:0.0
setsid ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null $u@localhost 'echo here' && echo ok || echo no


Ignore the security problems, this is just a POC.

When I run this

#> /tmp/test.sh
Warning: Permanently added '[localhost]:22' (ECDSA) to the list of known hosts.
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
no


What's wrong?

Answer

You need to export the environment variables to apply for your ssh command:

export DISPLAY
export SSH_ASKPASS 

Running the ssh with -vvv would tell you that the SSH_ASKPASS command is not used.

Comments