Remove sshpass from denylist

[sprive]

Verification

• This issue's title and/or description do not reference a single formula e.g. brew install wget. If they do, open an issue at https://github.com/Homebrew/homebrew-core/issues/new/choose instead.

Provide a detailed description of the proposed feature

Use fdesetup status to confirm the Brew user has Filevault set to On. This will signify the user's scripts are protected at rest using OS level encryption. If Off, then blacklist sshpass. If On, then issue a caution and a prompt to allow continuing.

What is the motivation for the feature?

Embedded Linux devices do not allow you to install SSH keys (read-only filesystems are quite common). Yet you must still automate against these targets.

How will the feature be relevant to at least 90% of Homebrew users?

For the popular workaround, Brew users are being diverted to tap random Github repos.
This means non-novice users to have to vet what the repo is doing, but novice users are blindly pulling in unvetted repos..

What alternatives to the feature have been considered?

Linux

[sprive]

1. unblacklist sshpass #13986
2. Add SSHPASS #13254
3. something something sshpass. #7994
4. Insecure sshpass behavior #6236
5. Add sshpass #5167
6. Consider removing sshpass from the blacklist #4198

It looks like ThumbsUp voting is disabled on these, which makes it difficult to measure community sentiment. But the current mechanism to discourage use does impact a lot of folk.

[sprive]

From #4198: "I think this is the best fit for now. You can create a sshpass formula in a tap and if it's widely used we may consider it being added into Homebrew/core."

Is that usage number published, and has sshpass reached that criteria?

[MikeMcQuaid]

Thanks for the issue @sprive!

Is that usage number published, and has sshpass reached that criteria?

You can see on https://formulae.brew.sh/analytics/install/365d/. sshpass doesn't show up until ~1000 but it occurs a few times after that.

Given that, unless other @Homebrew/maintainers object, I'm game to remove this blacklist and add it into Homebrew/homebrew-core with suitable caveats.

[carlocab]

Given that, unless other @Homebrew/maintainers object, I'm game to remove this blacklist and add it into Homebrew/homebrew-core with suitable caveats.

This is fine with me, but I'd like to understand more what the security concerns regarding sshpass are exactly too. (But presumably this will show up in the proposed caveats.)

[sprive]

Thanks! Raising the security concerns I'm aware of, and presenting them as copy pasta, if this looks suitable..:

---

Using SSHpass presents the risk of sensitive server credentials becoming stolen by other accounts or software running on your Mac. If these credentials are work related or sensitive, before using SSHpass please discuss this with your Compliance team.

When possible, using staged SSH keys is always easier and more secure than SSHpass. Use FileVault to encrypt your disk: if your Mac is stolen, at least the contents are unreadable to others. With your SSH targets, avoid using identical credentials on multiple systems. If you use source control, .gitignore can block committing of filenames you specify, so they do not accidentally become public.

Caveats:

• When supplying credentials to your SSH command, it is slightly more secure to use -f [filename], or -e ($SSHPASS env var) than the -p option. This is also a general best practice (keep secrets out of code, in case the code is shared or committed to source control).
• It is always a risk that any accounts, users or processes on your Mac can expose your plaintext password file or ENV vars.

---

Probably too lengthy for the command warning. Cheers.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[sprive]

What now needs to happen for this proposed change to move forward?

[MikeMcQuaid]

Someone needs to open the relevant PR.