Walker News

How To Hardcode SSH Password Into Plink For Automating SSH Login In Linux Shell Script?

For security’s sake, you should use public-key cryptography authentication method to automate SSH login without password. But, what can you do if the SSH server of a router modem doesn’t allow user add or install the public key?

In that case, the SSH client must be able to perform non-interactive SSH login using password authentication. The OpenSSH client in Linux, however, has no support of using password in this way. To overcome this problem, I suggest to use Putty’s plink for Linux or sshpass, as discussed in previous post.

Now, let’s see how to modify the plink source code for hardcoding the SSH password, so that the credential can be concealed when using plink to perform automatic login in shell script or cronjob.
WARNING: This trick can only fool the general attackers. It is NOT a bulletproof solution that can prevent serious attackers from revealing the secret.

NOTE: Please refer to the compilation guide of Putty for Linux in previous post. FYI, that guide is also applicable if you want to compile Putty for Raspbian/Raspberry Pi.

Download the latest Putty source code for UNIX from official site and extract it. At this moment, the latest archive of source files for downloading is putty-0.63.tar.gz.

Next, edit cmdline.c in putty-0.63 directory, search for the line of code in red color and insert the blue color lines before it.
Remember to replace “abc!123” with your SSH password as well as change the mypass array size accordingly (to match with your password length), then save the changes made in this cmdline.c file.
char mypass[8];
strcpy(value, mypass);
cmdline_password = dupstr(value);

Customized Plink that hardcoded SSH password
What’s the reason of storing the password character by character into an array? It’s because the strings command can expose the password if it’s stored in string literal format.

Lastly, change working directory to unix folder and start the compilation. The end result, a custom build of plink program, is capable to login SSH server with a fake password passed in by the -pw option switch.

In my example, the plink login as user “pi” with hardcoded password “abc!123”, not “decoy” (or whatever dummy password) specified for the -pw option:
./plink -pw decoy pi@

Custom Search

2018  •  Privacy Policy