SSH – How to Cache Password if SSH-Keys Are Forbidden

Connection reuse

SSHv2 allows the same authenticated connection to establish multiple 'channels' – interactive shell, batch command, SFTP, along with the secondary ones such as agent-forwarding or TCP-forwarding. Your server probably supports connection multiplexing by default. (If your admins complain, it's not caching your password anywhere – it's caching the whole connection.)

With OpenSSH you have ControlMaster and ControlPath options (-M and -S) to make use of this:

1. Start a 'master' SSH connection using -M. (Since you don't have a ControlPath in your config yet, you need to specify it in command line using -S. It needs to live long, so I add the -fN options to drop to background; they're technically optional otherwise.)

   $ ssh foo@bar.example.com -fNMS ~/.ssh/bar.socket
   foo@bar.example.com's password:
   

   You're back to the local shell.

2. Start a new connection through the master:

   $ ssh foo@bar.example.com -S ~/.ssh/bar.socket
   

   You're in.

3. To make this useful for Git/rsync/SFTP, you need to set up ControlPath in your configuration, because you won't be able to specify -S all the time:

   Host *
       ControlPath ~/.ssh/S.%r@%h:%p
   

You can automate this – recent OpenSSH versions also have ControlPersist which automatically establishes a master connection in background if there isn't one yet. This allows you to skip step 1 and just use ssh as you normally would.

1. Configuration in ~/.ssh/config:

   Host *
       ControlPath ~/.ssh/S.%r@%h:%p
       ControlMaster auto
       ControlPersist 15m
   

2. First connection asks for password:

   $ ssh foo@bar.example.com
   foo@bar.example.com's password:
   [foo@bar:~]$ exit
   

3. The second doesn't:

   $ ssh foo@bar.example.com
   [foo@bar:~]$ yay
   

To control the multiplex master (stop it or configure TCP forwardings), use the -O option.

A similar method is supported by recent PuTTY versions.