Currently sshpass is blacklisted with the reason We won't add sshpass because it makes it too easy for novice SSH users to ruin SSH's security. While I agree with this statement 100% I want to point out that this also makes things harder for advanced SSH users to install sshpass.
Sshpass is a dependency for Hashicorp vaults One-Time SSH Password backend. We are using this as a second factor for SSH connections by requiring a valid SSH key and a One-Time SSH Password for vault.
This is achieved by requiring multiple authentication methods in the SSH config.
AuthenticationMethods publickey,keyboard-interactive:pam
Why not just type in the OTP manually each time?
Certain automation tooling such as ansible require automated SSH access and this would become quite tiring if you are deploying to thousands of hosts.
Why not just install a random homebrew forumla from GitHub?
Random formulas are less likely to be updated and patched for security vulnerabilities. One of the advantages of using a formula from the official brew repository is knowing that it will be maintained and updated. For a security related application such as sshpass this becomes even more important.
Are there other alternatives to vault ssh which don't require sshpass?
I would also be open to hearing suggestions from the homebrew team about how best to enforce multi factor authentication for SSH servers.
Currently sshpass is blacklisted with the reason
We won't add sshpass because it makes it too easy for novice SSH users to ruin SSH's security.While I agree with this statement 100% I want to point out that this also makes things harder for advanced SSH users to install sshpass.Sshpass is a dependency for Hashicorp vaults One-Time SSH Password backend. We are using this as a second factor for SSH connections by requiring a valid SSH key and a One-Time SSH Password for vault.
This is achieved by requiring multiple authentication methods in the SSH config.
Why not just type in the OTP manually each time?
Certain automation tooling such as ansible require automated SSH access and this would become quite tiring if you are deploying to thousands of hosts.
Why not just install a random homebrew forumla from GitHub?
Random formulas are less likely to be updated and patched for security vulnerabilities. One of the advantages of using a formula from the official brew repository is knowing that it will be maintained and updated. For a security related application such as sshpass this becomes even more important.
Are there other alternatives to vault ssh which don't require sshpass?
I would also be open to hearing suggestions from the homebrew team about how best to enforce multi factor authentication for SSH servers.