Pass your password to your SSH key via a script

ssh bash scripting ssh-keys ssh-agent
11,173

Solution 1

Why not use ssh-agent for this?
See the man page for additional details. :)

Solution 2

I would use a SSH key that doesn't have a passkey. It may be less secure, but any method that will allow unattended use will have the same flaw.

Solution 3

Here are my 2 cents!

  • I have a USB drive that is always with me (in my physical key chain).
  • I make a second partition of 5 insignificant MB in it. This partition is an encrypted ext4 partition.
  • I store my private key (without passkey) in that encrypted partition.
  • In my computer I store the password to decrypt this partition in the file manager (I use dolphin) so if I plug the USB drive I can mount the encrypted partition with two single clicks, and if I plug the USB drive in another computer I can mount it typing the password.
  • Again in my computer I have symlinked my private keys from it usually are (~/.ssh/id_rsa) to where they are when mounted with the USB drive. So once mounted I can make a usual ssh without password.
  • If I am in another computer I can tell ssh where my key is with the -i flag

This way I can:

  • Login comfortably from my everyday computer
  • Log in with a single password from any linux machine
  • Have my private keys always safe with me and in a encrypted filesystem
Share:
11,173

Related videos on Youtube

user3398902
Author by

user3398902

Updated on September 17, 2022

Comments

  • user3398902
    user3398902 almost 2 years

    I am writing a script that will allow me to retrieve a file from all of my servers at once. I have SSH keys in place in order to log into my servers. My SSH key however requires a password.

    The script I am writing will not be automated, it will only ever be run manually. So my script prompts the user for the SSH key password.

    How can I send the password to the SSH key as it connects to each server. I am trying to avoid having to type my password in for each server.

    I know I could use 'expect', but am hoping there is a simple way to do this. Maybe some environment variable?

    Thanks.

  • Alex Holst
    Alex Holst over 13 years
    Expect, and any other form of scripting, is a really poor solution to this problem.
  • user3398902
    user3398902 over 13 years
    To be honest, I've never felt that ssh-agent was a secure idea. I don't really like the idea of it storing my keys. I am probably being overly paranoid though.
  • user3398902
    user3398902 over 13 years
    Yeah I thought of that too, but I was just wondering if there was a simple way. Like you can do with gpg passwords.
  • loislo
    loislo over 13 years
    The alternative you're proposing is providing a method of getting the encrypted key and password to decrypt it from the filesystem. I can't readily imagine a circumstance in which this is less secure than the unencrypted key being held within a program's memory.
  • Alex Holst
    Alex Holst over 13 years
    Please describe your security concerns with ssh-agent. (ssh-agent doesn't "store" your key)
  • voretaq7
    voretaq7 over 13 years
    the agent is at least as secure as putting your password in a file (more secure if the file isn't mode 600 or more restricted), and far more secure than letting it sit in a shell/environment variable :-) -- If you're paranoid you can always kill off the agent when your script is done.
  • SmallClanger
    SmallClanger over 13 years
    I agree with voretaq7. Your passphrase will have to be stored in plaintext somewhere. At that point it's not more secure than having an unencrypted private key in the first place.
  • user3398902
    user3398902 over 13 years
    I definitely wasn't thinking of storing the password. My concern is if I walk away from my desk for a second, someone can get access to the servers because of the agent. If I use a script, once my script stops, no one can get access to the servers without my password.
  • voretaq7
    voretaq7 over 13 years
    @mhost The simple and obvious solution: Lock your screen before you walk away, and don't share your login info. The less simple solution: Spawn the agent, load the key, spawn & background all your SSH subprocess, kill the agent (waiting for the subprocesses to terminate is left as an exercise for the scripter :-)
  • user3398902
    user3398902 over 13 years
    I do always lock my screen. It's more just a precaution in case I ever forget. Anyways, this does answer my question. I really just wanted to know if there was a built-in way to do this. I will use ssh-agent. Thanks.
  • Sumeet Kashyap
    Sumeet Kashyap over 13 years
    Obviously there are security issues in this case, but expect is a useful tool for people to know about.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Keep running a script via ssh
passwordless ssh not working
bash script with permanent ssh connection
SSH key and ip address
Forgot the password for an encrypted SSH key that's in my (gnome) SSH agent. How do I extract unencrypted version?
SSH key problems: Not a RSA1 key file unknown key type '-----BEGIN'
SSH ForwardAgent multiple hops
How do I run a local bash script on remote machines via ssh?
How to get all fingerprints for .ssh/authorized_keys(2) file
How can I fully log all bash scripts actions?