How to enter ssh passphrase key once and for all
Solution 1
Run ssh-keygen -p. This will allow you to remove the passphrase set on the key. If no passphrase is set, it's stored in clear text, and you can use it without unlocking it:
$ ssh-keygen -p
Enter file in which the key is (/home/user/.ssh/id_rsa):
Enter old passphrase:
Key has comment ''
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.
Simply press enter when prompted for passphrase to set no passphrase. After that, you can use your key freely.
Solution 2
You want to use keychain.
The keychain program manages an instance of the key cache program ssh-agent. When ssh-agent is started, two environment variables are created to be eval'd. Normally when the shell is closed where ssh-agent has been started, those environment variables are lost. The keychain program keeps track of those variables across logins and provides shell scripts in the ~\.keychain directory.
There are several ways to run keychain, one method is manually from the command line. Each time you start the shell, use:
eval `keychain --eval`
This will find ssh-agent if it's running, and start it if it's not. Either way, using eval on keychain will set the necessary environment variables where you can add keys using:
ssh-add <private-keyfile>
If private-keyfile has a password, you will be prompted to enter that password during the execution of ssh-add, but as long as ssh-agent is running that will be the last time you need to enter the password for the private key.
Because the eval of keychain sets the SSH_AUTH_SOCK environment variable, any run of ssh will use the ssh-agent to accomplish the authentication.
Another suggestion is to add the keychain execution to your .bashrc file, as suggested in this StackExchange answer.
To terminate keychain just enter the command:
keychain --stop mine
or if you want to bring down all the instances of ssh-agent, enter the command:
keychain --stop all
Just a note, using services such as ssh-agent defeat the security of passworded private key files by storing those authenticated keys in memory. This is not safe, especially with memory side-channel attacks. If you're not interested in key security, the simpler solution is to remove the password on the private key as suggested by @vidarlo.
Solution 3
Simple answer is No.
That defeats the purpose (i.e. protection) if it's sustained across reboots.
You can however sustain it across login sessions and even across multiple terminals.
If you want to sustain across login sessions but are OK to enter password once per terminal, then add
eval $(ssh-add)to to.bash_profileIf you want to do it once per system reboot, the install keychain, change your
~/.ssh/configfile to add keys to the keychain (AddKeysToAgent yes) and do the above step as well.
Related videos on Youtube
15 : 46
04 : 36
05 : 44
01 : 36
01 : 35
Liso
I have been an regular user since 11.04— migrated from (G)old Windows XP I had. Also I'm always motivated to learn new things as I grew older, hopefully my contribution here will be a help for you all.
Updated on September 18, 2022Comments
-
Liso over 1 year
I have set up a password-less setup for ssh that uses public key authentication to connect with desired remote server, everything has been working quite well.
I'm using passphrase to unlock the private key, using this solution— the problem is it asks password everytime I start my system.
I found this to be troublesome, I want to enter it only once and for all so the next time I boot up the session I won't have to enter it again, is there something like cached key that holds up my passphrase and works across session (also survive a reboot) ?
Would it be possible to achieve all of this whilst keeping my ssh passphrase intact ?
-
Liso over 4 yearsI don't want to disable passphrase altogether, just wondering if it is possible to enter it only once and never have to enter it again.
-
vidarlo over 4 yearsThat's effectively the same as disabling it... -
tudor -Reinstate Monica- over 4 years@vidario No it's not the same as disabling it. Removing the passphrase means that anyone who mistakenly gains access to the key would be able to use it without effort. This is a huge security risk that is drastically different to using a software-based (or even hardware-based) key safe, mainly because it may be years before you discover that your key has been copied.
-
Liso over 4 yearsNot the answer I was looking for, but it seems this is the best way. I still want to make it password protected, though.
-
MuhsinFatih almost 3 yearsthis is not what the OP asked for and it introduces a security vulnerability which the OP's method's purpose was to avoid in the first place. You need to use a keychain instead. I would mark @John J. 's answer as accepted
-
therobyouknow over 2 years+1 I found this to work: You'll be asked for the passphrase just once at login. As per instructions on keychain site, I put in .bash_profile: eval
keychain --eval --agents ssh ssh_key1 ssh_key2in - in my case I had 2 ssh keys - so I'll be asked for each one, but only once. In my .ssh config file also have a line under Host * which is AddKeysToAgent but I don't know if that is needed. -
therobyouknow over 2 yearsI'm using this with Ubuntu 20.04 on WSL2 on Windows. Once I've entered the passphrases once in one terminal, I can open other terminals and not be asked again. I can even close all terminals and open one and it still works, keychain puts a message in the terminal to say it found the keys (which I'd entered the passphrases for).
