So why doesn’t ssh read password from stdin ? Security ? bah ! – Excessive hand holding I say.
It’s alright for ssh to not read passwords over stdin by default – but ssh should allow for a command line option to enable reading password over stdin. Not allowing any technique to read passwords over stdin means people create alternate (but cumbersome) techniques to work over the problem – programs like sshpass and the expect library are used to supply passwords to ssh over stdin.
“sudo” doesn’t read passwords over stdin by default – but you can use the “-S” flag to tell sudo that you want it to read the password over stdin. With the “-S” flag you are telling sudo that you understand the security implications of reading passwords over stdin and you know what you are doing.
ssh should come with “secure” default behaviour but should also understand that a user willing to read the whole ssh_config manpage to figure out how to supply passwords over stdin and willing to research expect and sshpass probably understands security implications of reading passwords over stdin and knows what he is doing !
One Response
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.
Amen!