sshpass is a well known tool that everybody loves and hates at the same time, is very handy when you need to create scripts that use ssh and the hosts do not support ssh keys, since you can pass the password to the ssh password prompt, but sshpass is also a security risk because you can see the password invoked on the command line parameters, and even if you use the -f switch that reads the password from a file, the file its self is in clear text, so the password is exposed to all people who have access to this file.
sshpass is open source, this means that we can see its code and even we can modify and recompile the code.
Scenario: we have an embedded device that supports ssh but it does not support ssh keys, we want to give a way to the users of the embedded devices to access them using ssh but due to corporate rules the password must not be provided to the clients, also to make things worse this needs to be done fast so there is no time to develop software to do this, we must find a quick and dirty solution.
solution: as we said before sshpass is open source, we can hardcode the password inside the code, sshpass will ignore any given input using the -p parameter.
step 1: download sshpass source
$ wget https://sourceforge.net/projects/sshpass/files/latest/download -O sshpass-1.06.tar.gz
step 2: decompress sshpass
$ gunzip sshpass-1.06.tar.gz
$ tar -xvf ./sshpass-1.06.tar
step 3: Edit sshpass code
$ vim sshpass-1.06/main.c
Find the following line:
Now just before this line hardcode the password (in our case is passwd!)
And save the changes!
step 4: compile
inside the sshpass directory enter
$ make clean
step 5: verify that works
Now to use the modified version of ssh script
$ ./sshpass -p 1234567 ip_address
We need to enter a dummy password which its length should be equal to the length of the hardcoded password.
Thats all! i hope you found this article useful.
ps: some newer versions of sshpass hide the invoked password from commands like ps by default.