knktc's Notes

python, cloud, linux...

Language 查看中文版本
0%

insecure_pssh: Parallel SSH with Per-Host Passwords

Posted on Edited on
A modified version of pssh that supports storing a different password for each host in the host list file.

pssh (parallel-ssh) is a familiar and very useful tool for Linux administrators, but it normally expects key-based authentication to be configured on all target servers in advance. I never really liked that workflow, so I modified the project a bit to support a password list stored on the management machine.

What attracted me most to pssh was its parallel task management. It is very efficient when you need to run SSH operations across a large number of servers.

Under the hood, pssh simply calls the system ssh and scp commands. That also means it has some limitations when it comes to password management:

  1. You either set up trust relationships between the management host and all managed servers, which usually means SSH key authentication.
  2. Or you use the -A option and type in one password interactively.

I do not like either option:

  1. Setting up trust relationships takes time and extra work before you can do anything.
  2. With -A, all servers are assumed to use the same password, so hosts with different credentials cannot be handled cleanly.

Because of that, I created my own modified version of pssh, which I called insecure_pssh.

Why “insecure”? Because the modified tool allows passwords to be stored directly in the server list file. The host list supports entries in the following formats:

1
2
[user[:password]@]host[:port]
host[:port] user password

For example, if the server 192.168.1.123 uses the username root, password 123456, and port 22, the host entry can be written directly like this:

1
root:123456@192.168.1.123:22

This means you do not need to change anything on the target servers before using the tool, and hosts with different passwords can still be managed in one batch.

Of course, the trade-off is obvious: the hosts.txt file stores passwords in plain text. If the management server is compromised, every password is exposed immediately. That risk needs to be taken seriously.

I also added -o StrictHostKeyChecking=no to the ssh and scp commands, so even the first connection to a new host will not stop and ask whether the host key should be saved.

So yes, this is an intentionally unsafe version of pssh, but for my workflow it turned out to be very convenient. Please weigh the risks carefully before using it.

The project is on GitHub here:

https://github.com/knktc/insecure_pssh

Feedback and criticism are welcome.

如果我的文字帮到了您,那么可不可以请我喝罐可乐?