How to use ssh-client with connection details known only at run-time

I have a database containing ip addresses and credentials
I can fetch the rows and execute a for-each loop
Inside the loop, I want to use ssh-client or similar to connect to the IP address using credentials, execute a command then close the connection

How am I able to connect using variables , and not have to hardcode details?

Welcome to the forum @mwhitele

How are you doing it with hard coded credentials?

[Edit] Are you using node-red-contrib-ssh-client (node) - Node-RED? Looking at its github repository it hasn't been updated in three years, has no readme, and has unaddressed open issues, so I would advise against using that one.

Personally I would use an Exec node for this and execute ssh using that.

1 Like

TY. Would you mind posting how I can Exec against hostname,username and password values that are stored in variables?

How would you do it with fixed credentials if you were running ssh in a terminal?

[Edit] Hmm, you can't specify the password in the command line. Which would actually be a bad thing to do anyway.

Can't you setup key authorisation? It would make it much simpler and more secure.

1 Like

I’m writing the flow without knowing anything about the Linux endpoints that I want to use at runtime. I don’t know ip address username and password. I’d know, however, that I’ll be connecting using ssh protocol

At runtime, I will get the IP address, username and password from a database table

I’ll loop through the result set

For each iteration, I wish to execute some command (that does not matter for the sake of this question) on the Linux system loop.ipaddress, authenticated by loop.username and loop.password... and then close the connection

How do I get these loop variables into ssh-client or exec?

SSH is designed to stop you doing anything that will lead to you getting hacked, that is why you can't specify the password in the command line. You may be able to achieve what you want using sshpass.

Why can't you use public/private keys and keep those in files, or even in the database I suppose?

Thanks, I’ll go research keys. In the meantime, how can I get my loop.hostname variable into ssh-client and exec ... I’d be interested in knowing for both ssh-client and Exec please

Don't know about ssh-client. For use in an exec node you just have to build the appropriate command and pass it to the exec node. So first work out what the command line you want to execute is, then you just have to build a string containing that.

This is a very bad idea from any security perspective.

You should be using at the very least a secure keystore.

If what you are connecting to has any kind of value to you, your organisation or your customer(s), you should get a security professional to review and report on the issues and recommend solutions.

Exec allows msg properties to be passed to the command. Have a play with it, you will soon get the hang.

Thanks for the guidelines. I did research security keys and closed that hole. I’ll go play with Exec now

I suggest putting just ssh as the command in the exec node and then build the parameter string in the payload to pass to it.

I’ve been successful with Exec. The command I’m executing sometimes asks for confirmation to proceed with “Confirm?”. I can’t get spawn working such that it reads each line output from the command.

I would like to test a line for “Confirm?” then send “Y” back to the input stream. On completion, I want to send “exit”

Are there any examples or videos on how to do this sort of thing please?

What is the command you are running and under what conditions does it ask? That is what is asking for the confirm so you must adjust it (or the system) so that it does not ask.

[Edit] If it is asking something like
RSA key fingerprint is 96:a9:23:5c:cc:d1:0a:d4:70:22:93:e9:9e:1e:74:2f.
Are you sure you want to continue connecting (yes/no)?

Then that is produced the first time you connect to a new host.

Add into the ssh command
-o StrictHostKeyChecking=accept-new
Try it in a terminal first to see if it works and prevents the confirmation request.

I’m after examples of “expect” processing.

  1. Am I able to see each line as it comes back from the exec command? The description of exec spawn says I can, but I can’t get it working. Please post an example… if there is one. Does spawn actually work? So far, I’ve seen that is does not

  2. “Confirm?” is one of any number of different “expect” messages coming back from from the server, each requiring a different response. I want to set up responses. I’m automating a current manual interactive process

In that case this is nothing to do with the subject line of the thread. I suggest you start a new thread and someone who knows how to do that will probably help. When you do that please post a flow that you think should work but does not.

A final thought here, if the s/w is asking for input specifically on the keyboard rather than via stdin/stdout/stderror than I don't think it can be done, though I may be wrong. Nothing to do with node-red, you would have the same issue using any s/w.

Perhaps you need something like one of these:

@TotallyInformation I like the look of ssh2shell! Thank you for posting. How do I call that from Node-RED ... I do not see it "manage pallet" I've tried creating a function to call it, but no luck probably because I'm new to Node-RED

I've not tried it so you may need some messing to get it to do what you want.

The function node will take an external npm module and will do the necessary for you. Details in the node-red docs.