This isn't an answer to your question, rather a question itself. Why not use ssh keys? Just concatenate your id_dsa.pub/id_rsa.pub/identity.pub file(s) into a file called authorized_keys. Place that in your ~/.ssh directory on each host. Then fire up ssh-agent, type ssh-add, and enter your password for your private key. Now, you won't have to type your password in whenever you go to a host that has your authorized_keys file. It makes life SOOOO much simpler. ;-) See also: ssh(1), ssh-keygen(1), ssh-agent(1), ssh-add(1). I plan on home-cooking something with cfengine2 to push out key files to a /etc/ssh/authorized_keys.d directory and changing this directive in sshd_config: AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u.keys That way, users don't need home directories to log in, and I've got a central location in which to manage access. This works well in a corporate environment where sysadmins/engineers are in charge of system security. We allow people to update their own authorized_keys files on a primary shell server, then copy them to a central location (i.e. cfengine master server/CVS repository) to be distributed to individual hosts. There are other security tie-ins you can use. For example, if you're using some form of Kerberos, there is a Kerberized SSH daemon you can install, bypassing the need for password authentication or ssh keys entirely. Chad