How do I save an SSH key passphrase for an unattended process?

server ssh passphrase
6,340

You can use ssh-agent to do this. It allows you to store a passphrase in memory, rather than on disk. There is a good explanation of doing this for batch jobs here: http://www.akadia.com/services/ssh_agent.html.

Essentially, you:

  1. Run ssh-agent in the background as the user that will be initiating the SSH connection.
  2. Use the ssh-add command to add the key to the agent. It will prompt for the passphrase.

You can automate the running of ssh-agent by adding it to a script run at startup, but you still need to manually prime the agent with the key in order to enter the passphrase. So if you reboot, for example, you'll have to remember to do this.

The point to consider is what you are trying to achieve by having a passphrase on the key being used, given that this is an automated system.

  1. If you use a key with a passphrase and store it in a configuration file then anyone who gains access to the key is likely to have access to the configuration file too, since they would both need to be accessible by the same user.
  2. If you use ssh-agent to store the passphrase then it still needs to run on the same machine as the key. It would be harder to get the passphrase out of memory than from a file, but you've just made their work harder rather than impossible impossible. However, if they gain the key without getting access to the machine (eg, from a backup), then this option is more secure.
  3. If you do not set a passphrase at all, someone who gets the key has no further work to do to be able to use it.

In all three of these scenarios, you would be wise to plan for the worse and take steps to minimise the damage that could be done by someone who gains access to a usable key. For example, you could:

  • Use a specific user account that only has access to the data being retrieved.
  • Use a key that is only used for this purpose.
  • Restrict what host the key owner can SSH from.
  • Restrict what commands can be run using the key - see this.

On balance, only you can weigh up the pros and cons of these approaches, and whether a manual process is acceptable in your situation.

Share:
6,340

Related videos on Youtube

David Edwards
Author by

David Edwards

Updated on September 18, 2022

Comments

  • David Edwards
    David Edwards almost 2 years

    I've created passphrase protected RSA key. The public key is installed on remote server in authorized_keys in the user's .ssh directory.

    From requesting server, I can SSH into the remote server without a problem, but I need to enter passphrase every time I do this.

    I want to use this key for a Munin server to SSH into a Munin node and get data, so the procedure fails because of the passphrase.

    I have thought of two options:

    1. Remove the passphrase from the key.
    2. Save the passphrase somewhere, maybe in a configuration file?

    Is there a better solution?

    I think ssh-agent is supposed to do something like this, but I cannot find concise information about it.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Corrupted MAC on input. ssh_dispatch_run_fatal:message authentication code incorrect unable to ssh jupyter notebook on remote server
Permission denied (publickey,password). while using ssh to login
ssh fails because port 22 doesn't work with AT&T Uverse
Permission denied for *.pem file
Port forwarding using SSH with different users: how to debug connection problems?
SSH: Permission denied, please try again. While tryng to connect to remote 12.04 server
Teamviewer not working (no connection)
ssh: connect to host [ip] port 22: No route to host
Can't ping from Windows to Linux server
Ubuntu server 16.04 can't ping outside IP's or domains or do updates