You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently sshpass is blacklisted with the reason We won't add sshpass because it makes it too easy for novice SSH users to ruin SSH's security. While I agree with this statement 100% I want to point out that this also makes things harder for advanced SSH users to install sshpass.
Sshpass is a dependency for Hashicorp vaults One-Time SSH Password backend. We are using this as a second factor for SSH connections by requiring a valid SSH key and a One-Time SSH Password for vault.
This is achieved by requiring multiple authentication methods in the SSH config.
Certain automation tooling such as ansible require automated SSH access and this would become quite tiring if you are deploying to thousands of hosts.
Why not just install a random homebrew forumla from GitHub?
Random formulas are less likely to be updated and patched for security vulnerabilities. One of the advantages of using a formula from the official brew repository is knowing that it will be maintained and updated. For a security related application such as sshpass this becomes even more important.
Are there other alternatives to vault ssh which don't require sshpass?
I would also be open to hearing suggestions from the homebrew team about how best to enforce multi factor authentication for SSH servers.
The text was updated successfully, but these errors were encountered:
Please always read and fill in the issue template.
Random formulas are less likely to be updated and patched for security vulnerabilities. One of the advantages of using a formula from the official brew repository is knowing that it will be maintained and updated. For a security related application such as sshpass this becomes even more important.
I think this is the best fit for now. You can create a sshpass formula in a tap and if it's widely used we may consider it being added into Homebrew/core.
Currently sshpass is blacklisted with the reason
We won't add sshpass because it makes it too easy for novice SSH users to ruin SSH's security.
While I agree with this statement 100% I want to point out that this also makes things harder for advanced SSH users to install sshpass.Sshpass is a dependency for Hashicorp vaults One-Time SSH Password backend. We are using this as a second factor for SSH connections by requiring a valid SSH key and a One-Time SSH Password for vault.
This is achieved by requiring multiple authentication methods in the SSH config.
Why not just type in the OTP manually each time?
Certain automation tooling such as ansible require automated SSH access and this would become quite tiring if you are deploying to thousands of hosts.
Why not just install a random homebrew forumla from GitHub?
Random formulas are less likely to be updated and patched for security vulnerabilities. One of the advantages of using a formula from the official brew repository is knowing that it will be maintained and updated. For a security related application such as sshpass this becomes even more important.
Are there other alternatives to vault ssh which don't require sshpass?
I would also be open to hearing suggestions from the homebrew team about how best to enforce multi factor authentication for SSH servers.
The text was updated successfully, but these errors were encountered: