Is there any way to automate ssh login, without sshpass or expect?

in flag

The context here is that I have a series of embedded Linux systems at work. They do not have internet access. They are frequently re-imaged. I do not control the OS image and the owning team is not interested in incorporating sshpass or expect into the OS builds.

These are test machines only accessible from an internal network. Currently the update process is quite painful and involves me manually scp'ing files between 3 hops. I would like to automate this process with a script, it would likely save me several hours per week. The current workflow is for me to have a gigantic series of 3-deep nested tmux sessions with various panes, in which I run very similar commands. It works, but it's not fun. However as far as I can tell, there is no way to plaintext pipe a password to regular ssh. The password for all these machines is just root, since they are test & development machines only.

Things I have seen which I believe won't work:

  • Shared keys: these machines are re-imaged daily to multiple times per day. I cannot expect a persistent key.
  • sshpass or expect: as stated above, the OS team has declined my request to add these.
  • Installing any non-default UNIX tools, since these machines have no internet access.
tilleyc avatar
us flag
You say you cannot expect a persistent key… why not? If they can re-image them, they could pack in an expected key easily enough.
brenzo avatar
in flag
I do not disagree, but my pleas are falling on deaf ears and I am just trying to unblock myself here.
me flag
your task is to SCP files to the target device via 3 server hops, right? you can use Ansible to copy the file via jump host, or configure OpenSSH to establish a jump host for you, then you just SCP from your laptop to the target device. Ref: and
us flag

First, my condolences. You've been made responsible for solving this problem without being supported to do it properly. If the systems are being regulardly re-imaged, installing keys should be easily added to that build flow. If the responsible team isn't willing to do that, that seems hard to justify.

And you're right - by design, there's no way to pass ssh a password on the command line. So there aren't many options to automate further without installing something else, just as you've said.

Given the constraints - and assuming that you shouldn't store the password anywhere - I'd say a script that uses nested SSH (using multiple invocations of the -J flag) to reduce your hops, and having the password ready to paste in your paste buffer, would minimize your effort.

One more suggestion. You mention no Internet access, but if there are any scripts or tools that you could make internally available, you could pull them from that internal source to your target systems. Pulling a single 'bootstrap' script, and then running that script to install any other statically compiled utilities (or even certificates or SSH keys!), might be efficient. It would have to be re-done every time the systems are rebuilt, but the script could even check to see whether or not the target system has been re-imaged or not, and only install what's missing. In other words, you could automate the process of returning rebuilt systems to supportability.

Either way, good luck. If Hallmark made a card for this, I would get it for you. :D


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.