sshpassx

A drop-in Rust replacement for sshpass with secure password storage via macOS Keychain and 1Password.

Quick Start

# Install
cargo install sshpassx

# Store a password once, use it everywhere
sshpassx --store user@host        # prompts for password, saves to Keychain
sshpassx -k ssh user@host         # looks up stored password automatically
sshpassx -k scp user@host:f .     # works with scp, rsync, sftp, etc.

# Or pass a password directly (original sshpass style)
sshpassx -p mypass ssh user@host

Using 1Password instead of macOS Keychain?

export SSHPASSX_BACKEND=op
sshpassx --store user@host
sshpassx -k ssh user@host

---

Installation

# From crates.io
cargo install sshpassx

# Or from source
cargo install --path .

# Or build manually
cargo build --release
# Binary at: target/release/sshpassx

Configuration

Backend Selection

sshpassx supports two password storage backends, controlled by environment variables:

Variable	Values	Description
SSHPASSX_BACKEND	op, 1password	Use 1Password instead of macOS Keychain. Unset = macOS Keychain.
SSHPASSX_VAULT	vault name	1Password vault to use (optional, defaults to personal vault)

Backward compatibility: The legacy SSHPASS_RS_BACKEND and SSHPASS_RS_VAULT environment variables are still accepted as fallbacks.

macOS Keychain (default) — passwords are stored in the system Keychain, encrypted at rest, protected by your login password.

1Password — passwords are stored as tagged items in your 1Password vault. Requires the 1Password CLI (op) to be installed and authenticated.

On non-macOS platforms, macOS Keychain is unavailable. Set SSHPASSX_BACKEND=op to use 1Password instead.

1Password Service Account (for automation)

export OP_SERVICE_ACCOUNT_TOKEN=ops_...
export SSHPASSX_BACKEND=op
sshpassx -k ssh user@host

Verbose / Diagnostic Output

Use -v to see which backend is selected, what commands are executed, and how password resolution proceeds:

sshpassx -v -k ssh user@host

SSHPASSX: checking SSHPASSX_BACKEND environment variable
SSHPASSX: selected OS keychain backend
SSHPASSX: using keychain with key 'user@host'
SSHPASSX: querying backend for key 'user@host'
SSHPASSX: key 'user@host' found in backend
SSHPASS searching for password prompt using match "assword:"
SSHPASS detected password prompt
SSHPASS sending password

Usage

sshpassx [OPTIONS] <command> [args...]
sshpassx --store <key>
sshpassx --delete <key>
sshpassx --list
sshpassx --help

Password Source Flags

Mutually exclusive — only one per invocation.

Flag	Description
-p <password>	Pass the password directly as an argument
-f <filename>	Read the password from a file (first line)
-d <number>	Read the password from a file descriptor
-e	Read the password from the SSHPASS environment variable
-k	Look up the password from the configured backend, auto-deriving the key from the SSH command

No flag = read password from stdin (original sshpass behavior).

Password Management

Standalone operations — no wrapped command needed.

Flag	Description
--store <key>	Prompt for a password and store it under <key>
--delete <key>	Delete the stored entry for <key>
--list	List all entries managed by sshpassx
--key <value>	Explicit key name for -k (overrides auto-detection)

Other Flags

Flag	Default	Description
-P <prompt>	assword:	Prompt pattern to match in PTY output
-v	off	Verbose mode — diagnostic output to stderr
-h, --help		Context-sensitive help (try --store --help, --list --help, -k --help)

Key Auto-Detection

With -k (no --key), the key is derived from the wrapped command using a two-stage fallback:

1. Direct parsing — extracts user@host from SSH arguments:

   • ssh user@host → key = user@host
   • ssh -l user host → key = user@host

2. SSH config resolution — if direct parsing fails, runs ssh -G <destination> to resolve aliases:

   • ssh myalias → resolves User and HostName from ~/.ssh/config → key = resolved_user@resolved_host
   • ssh -W %h:%p gw → resolves gw alias → key = resolved_user@resolved_host
   • Propagates -F <config> if present in the SSH arguments

Use --key <name> to override auto-detection entirely.

If both stages fail, you're prompted interactively.

Examples

Basic Password Passing

# Direct password
sshpassx -p hunter2 ssh user@host

# From file
sshpassx -f ~/.ssh/mypassword ssh user@host

# From environment variable
SSHPASS=hunter2 sshpassx -e ssh user@host

# From stdin
echo "hunter2" | sshpassx ssh user@host

Keychain Workflow

# Store once
sshpassx --store user@host

# Use everywhere
sshpassx -k ssh user@host
sshpassx -k scp user@host:/remote/file ./local/
sshpassx -k rsync -avz user@host:/data/ ./backup/

# Explicit key name
sshpassx --key myserver ssh -l user host

# Manage stored entries
sshpassx --list
sshpassx --delete user@host

1Password Workflow

export SSHPASSX_BACKEND=op

# Store in 1Password
sshpassx --store user@host

# Use from 1Password
sshpassx -k ssh user@host

# Use a specific vault
SSHPASSX_VAULT=Production sshpassx -k ssh user@host

# List / delete
sshpassx --list
sshpassx --delete user@host

SSH Config Integration

Use sshpassx as a ProxyCommand in ~/.ssh/config to automate password-based jump hosts. Aliases are resolved automatically via ssh -G.

# First, store the jump host password
sshpassx --store user@gateway.example.com

# ~/.ssh/config

# Jump host that requires keyboard-interactive auth
Host gw
  Hostname gateway.example.com
  User user
  PreferredAuthentications keyboard-interactive
  PubkeyAuthentication no

# Internal hosts via the jump host — alias "gw" is auto-resolved
Host internal-server1
  HostName 10.0.0.1
  User admin
  ProxyCommand sshpassx -k ssh -W %h:%p gw
  GSSAPIAuthentication no

Host internal-server2
  HostName 10.0.0.2
  User admin
  ProxyCommand sshpassx -k ssh -W %h:%p gw
  GSSAPIAuthentication no

How it works: sshpassx runs ssh -G gw to resolve the alias, extracting User and HostName from your SSH config to construct the keychain key user@gateway.example.com. Use --key <name> to override if needed.

Advanced

# Custom prompt pattern (non-English systems)
sshpassx -p hunter2 -P "Passwort:" ssh user@host

# Verbose diagnostics
sshpassx -v -k ssh user@host

Exit Codes

Code	Name	Meaning
0	Success	Command completed successfully
1	InvalidArguments	Missing required argument
2	ConflictingArguments	Multiple password sources or bad flags
3	RuntimeError	PTY, spawn, keychain, or I/O error
4	ParseError	Could not parse child process output
5	IncorrectPassword	SSH rejected the password
6	HostKeyUnknown	Host key not in known_hosts
7	HostKeyChanged	Host key changed since last connection

Security

Property	Original sshpass	sshpassx
Password in args (-p)	Visible in ps	Visible in ps (same)
Password in file (-f)	Plaintext file	Plaintext file (same)
Password in env (-e)	Cleared before exec	Cleared before exec
Keychain storage	Not supported	macOS Keychain (encrypted at rest)
1Password storage	Not supported	op CLI (encrypted vault, biometric unlock)
In-memory handling	Plain string	SecretString (zeroized on drop)

Recommendation: avoid -p — the password is visible in ps. Use -k with stored passwords for scripts and automation.

Compatibility

Same as original sshpass

• -p, -f, -d, -e password sources
• -P prompt pattern matching
• -v verbose mode
• Exit codes 0–7
• Works with any PTY-based password prompt (ssh, scp, sftp, rsync, etc.)

New in sshpassx

• -k / --key — backend-backed password lookup
• --store / --delete / --list — password management
• 1Password backend via SSHPASSX_BACKEND=op
• Auto-detection of user@host from SSH arguments
• Interactive fallback when key is missing
• Context-sensitive --help
• Cross-platform backend guard (non-macOS → requires 1Password)

Limitations

• macOS Keychain backend is macOS-only. On other platforms, use SSHPASSX_BACKEND=op.
• 1Password backend requires the op CLI.
• No config file — all options via command line and environment variables.