2

I am trying to develop a bash script to download from a remote server to my local machine. I call rsync, and need to avoid to finger the password by myself everytime. The following works:

 sshpass -p "my remote pw" rsync -r -n -t -v --progress -s myid@remote:/remote_path /local_path

Question is: how unsafe is it? Are there better ways, which however are simple enough to implement. Thanks

Gilles 'SO- stop being evil'
  • 829,060
mario
  • 147

1 Answers1

2

This is not very secure, at least not in a multi-user environment. According to the sshpass documentation:

The -p option should be considered the least secure of all of sshpass's options. All system users can see the password in the command line with a simple "ps" command.

Secondly, there is the issue of storing the password in plain text in the script. If you are going to do so, at least make sure you set reasonable permissions (something like 700).

If possible, you should use key-based authentication. You still need to take precautions to reduce the probability of the key file becoming compromised while stored on your computer, but you eliminate the issue of the running command leaking your password and as an added bonus, the private key will likely be much stronger/harder to crack than a password. To make things easier, you can create an entry in ~/.ssh/config, for example:

Host mysite.com
    HostName mysite.com
    Port 22
    User me
    IdentityFile ~/.ssh/id_mysite.key

With an entry like above, you can modify your command to simply

rsync -r -n -t -v --progress -s mysite.com:/remote_path /local_path

Although not required, I prefer to keep all my keys in ~/.ssh because it limits the places where keys may be floating around and the .ssh directory typically has by default, stricter permissions set. I also set every key file's permission to 600 so you may consider setting this as the default file permission inside ~/.ssh for more convenience and to reduce the probability of forgetting to chmod at some point in the future.

Lastly, if you want even more security, you can password protect your private key and then have something like seahorse unlock it when you login (I believe the password is encrypted and the encryption key to unlock the password is the password you use to login). This way, you don't have to enter the password. I have a few set up like this, but unfortunately, I can't remember exactly how I did it. Anyway, it's probably overkill.

ilkkachu
  • 138,973
Paul Nordin
  • 1,212