Is sshpass utility insecure than manual ssh password authentication?

It's less secure than doing it manually, but if you're using Jenkins, you're clearly trying to automate. That being said, pay attention to the sshpass home page when it says:

Most users should use SSH's more secure public key authentication instead.

Use of sshpass will probably leave the plaintext password in logs files and/or command history logs, which is highly undesirable. A passwordless key would be more secure than that.


It is lesser secure until you eliminate the risk to expose passwords to third parties.

There is an issue if the sshpass command is still being executed and other users, even with limited access privileges, can issue a ps command. The password may temporarily show up in the list as part of the process call even outside of logs and command histories bypassing the file view restrictions. These are just working for direct reading those log and history files in place.

There are multiple solutions to read the password into stdin from an external resource to avoid showing it up in the process call. It is beyond the scope of this answer to point to certain solutions.

You still need to audit if the access to the passwords stored elsewhere is safe enough for your requirements.

Tags:

Ssh