Pass your password to your SSH key via a script
Solution 1
Why not use ssh-agent
for this?
See the man page for additional details. :)
Solution 2
I would use a SSH key that doesn't have a passkey. It may be less secure, but any method that will allow unattended use will have the same flaw.
Solution 3
Here are my 2 cents!
- I have a USB drive that is always with me (in my physical key chain).
- I make a second partition of 5 insignificant MB in it. This partition is an encrypted ext4 partition.
- I store my private key (without passkey) in that encrypted partition.
- In my computer I store the password to decrypt this partition in the file manager (I use dolphin) so if I plug the USB drive I can mount the encrypted partition with two single clicks, and if I plug the USB drive in another computer I can mount it typing the password.
- Again in my computer I have symlinked my private keys from it usually are (~/.ssh/id_rsa) to where they are when mounted with the USB drive. So once mounted I can make a usual ssh without password.
- If I am in another computer I can tell ssh where my key is with the -i flag
This way I can:
- Login comfortably from my everyday computer
- Log in with a single password from any linux machine
- Have my private keys always safe with me and in a encrypted filesystem
Related videos on Youtube
user3398902
Updated on September 17, 2022Comments
-
user3398902 almost 2 years
I am writing a script that will allow me to retrieve a file from all of my servers at once. I have SSH keys in place in order to log into my servers. My SSH key however requires a password.
The script I am writing will not be automated, it will only ever be run manually. So my script prompts the user for the SSH key password.
How can I send the password to the SSH key as it connects to each server. I am trying to avoid having to type my password in for each server.
I know I could use 'expect', but am hoping there is a simple way to do this. Maybe some environment variable?
Thanks.
-
Alex Holst over 13 yearsExpect, and any other form of scripting, is a really poor solution to this problem.
-
user3398902 over 13 yearsTo be honest, I've never felt that ssh-agent was a secure idea. I don't really like the idea of it storing my keys. I am probably being overly paranoid though.
-
user3398902 over 13 yearsYeah I thought of that too, but I was just wondering if there was a simple way. Like you can do with gpg passwords.
-
loislo over 13 yearsThe alternative you're proposing is providing a method of getting the encrypted key and password to decrypt it from the filesystem. I can't readily imagine a circumstance in which this is less secure than the unencrypted key being held within a program's memory.
-
Alex Holst over 13 yearsPlease describe your security concerns with ssh-agent. (ssh-agent doesn't "store" your key)
-
voretaq7 over 13 yearsthe agent is at least as secure as putting your password in a file (more secure if the file isn't mode 600 or more restricted), and far more secure than letting it sit in a shell/environment variable :-) -- If you're paranoid you can always kill off the agent when your script is done.
-
SmallClanger over 13 yearsI agree with voretaq7. Your passphrase will have to be stored in plaintext somewhere. At that point it's not more secure than having an unencrypted private key in the first place.
-
user3398902 over 13 yearsI definitely wasn't thinking of storing the password. My concern is if I walk away from my desk for a second, someone can get access to the servers because of the agent. If I use a script, once my script stops, no one can get access to the servers without my password.
-
voretaq7 over 13 years@mhost The simple and obvious solution: Lock your screen before you walk away, and don't share your login info. The less simple solution: Spawn the agent, load the key, spawn & background all your SSH subprocess, kill the agent (waiting for the subprocesses to terminate is left as an exercise for the scripter :-)
-
user3398902 over 13 yearsI do always lock my screen. It's more just a precaution in case I ever forget. Anyways, this does answer my question. I really just wanted to know if there was a built-in way to do this. I will use ssh-agent. Thanks.
-
Sumeet Kashyap over 13 yearsObviously there are security issues in this case, but expect is a useful tool for people to know about.