Hacking sshpass (for a legitimate reason)

sshpass is a well known tool that everybody loves and hates at the same time, is very handy when you need to create scripts that use ssh and the hosts do not support ssh keys, since you can pass the password to the ssh password prompt, but sshpass is also a security risk because you can see the password invoked on the command line parameters, and even if you use the -f switch that reads the password from a file, the file its self is in clear text, so the password is exposed to all people who have access to this file.

sshpass is open source, this means that we can see its code and even we can modify and recompile the code.

Scenario: we have an embedded device that supports ssh but it does not support ssh keys, we want to give a way to the users of the embedded devices to access them using ssh but due to corporate rules the password must not be provided to the clients, also to make things worse this needs to be done fast so there is no time to develop software to do this, we must find a quick and dirty solution.

solution: as we said before sshpass is open source, we can hardcode the password inside the code, sshpass will ignore any given input using the -p parameter.

step 1: download sshpass source

step 2: decompress sshpass

step 3: Edit sshpass code

Find the following line:

Now just before this line hardcode the password (in our case is passwd!)

And save the changes!

step 4: compile

inside the sshpass directory enter

step 5: verify that works

Now to use the modified version of ssh script

We need to enter a dummy password which its length should be equal to the length of the hardcoded password.

Thats all! i hope you found this article useful.

ps: some newer versions of sshpass hide the invoked password from commands like ps by default.

Written by

DevOps engineer, loves Linux, Python, cats and Amiga computers

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store