Walker News

Modify Sshpass Source File To Hide SSH Password

This open source software, sshpass, only does one simple thing, i.e. tricks the SSH client to believe that the user is performing interactive password authentication.

For example, this is how sshpass works in command line – tells sshpass to enter “abc123” when the SSH client prompts for password of user account pi:
sshpass -p abc123 ssh pi@

It works, but the password is exposed! Can you hide it? Of course! We can hardcode the password into the binary program file!
Though the skillful attackers may able to find it, it is “impossible” for the average users :)

Download the latest sshpass source files archive. In this guide, we use sshpass-1.05.tar.gz.

Edit the main.c and search for this line:

Then, insert these red lines before it (NOTE: You MUST change the optarg[] array size and its content accordingly, to match with your SSH password!):

A custom build of sshpass with hardcoded password.
It’s not a good idea to store secret as string literal, because this strings program can see it!

Next, let’s compile it:
make clean
make; echo $?

If you see “0” in the last line of output, it means the compilation is successful.

Now, let’s test this custom build of sshpass:
./sshpass -p 1234567 ssh pi@

1. You still have to use -p option but give it a fake/pseudo password. When this sshpass executed, it’s actually passing “mypass!” to ssh client, not “1234567” provided by -p option switch.

2. The fake password length MUST be equal to or longer than the hardcoded password! Otherwise, you’ll get this “sshpass: Failed to run command: No such file or directory” error message.

Personally, I prefer to use a custom build of Putty’s plink (another command-line/console-based SSH client). If you’re interested, please refer to the plink customization guide in previous post.

Custom Search

2018  •  Privacy Policy