SSH password as a command-line parameter?

[Matthew Kuiken]

Daniel Carrera wrote:
> Neil Blakey-Milner wrote:
> <snip>
>> In particular, if you do have a key that doesn't require a passphrase
>> (because it is going to be used for an automated process), it may be
>> best to limit that key to only performing a single command.  This can be
>> done in the authorized_keys file.
>
> That's an option, though naturally I like having a password. Though I 
> guess that technically if someone can grab my private key they can 
> probably grab the script with the password as well...
>
>> Passphrases don't have to be irritating, since Ubuntu graphical logins
>> run an "agent" (read the ssh-agent manual page) that allows you to
>> unlock the keys with their passphhhrases for the current session.
>
> I already know ssh-agent, but I don't think I want to depend on it. If 
> I restart my computer for some reason and forget to run it I might go 
> for days without backups. I don't find passwords irritating.
I got the impression from the password comment that you were not using 
keys.  Sorry for the misunderstanding.

I'm certain ssh-agent could be set up to automatically run when you log 
in to Gnome/KDE.  It could prompt you for the passphrase then.  I've 
seen pages that talk about installing ssh-askpass for this purpose.

Another option is libpam-ssh.  It uses a PAM module to use the password 
you gave to gdm to open the agent.  This is slightly less secure than 
using a separate passphrase, but still requires the hacker to at least 
get one password before getting full access.  It also prevents a stolen 
key file from being useful unless the passphrase was stolen, too.

HTH,
-Matt