5

I am writing a script that will allow me to retrieve a file from all of my servers at once. I have SSH keys in place in order to log into my servers. My SSH key however requires a password.

The script I am writing will not be automated, it will only ever be run manually. So my script prompts the user for the SSH key password.

How can I send the password to the SSH key as it connects to each server. I am trying to avoid having to type my password in for each server.

I know I could use 'expect', but am hoping there is a simple way to do this. Maybe some environment variable?

Thanks.

voretaq7
  • 79,879
  • 17
  • 130
  • 214
mhost
  • 1,179
  • 3
  • 16
  • 25

5 Answers5

16

Why not use ssh-agent for this?
See the man page for additional details. :)

voretaq7
  • 79,879
  • 17
  • 130
  • 214
  • To be honest, I've never felt that ssh-agent was a secure idea. I don't really like the idea of it storing my keys. I am probably being overly paranoid though. – mhost Jan 26 '11 at 19:15
  • 2
    The alternative you're proposing is providing a method of getting the encrypted key and password to decrypt it from the filesystem. I can't readily imagine a circumstance in which this is less secure than the unencrypted key being held within a program's memory. – Jeff Ferland Jan 26 '11 at 19:17
  • 1
    Please describe your security concerns with ssh-agent. (ssh-agent doesn't "store" your key) – Alex Holst Jan 26 '11 at 19:18
  • 2
    the agent is at least as secure as putting your password in a file (more secure if the file isn't mode 600 or more restricted), and far more secure than letting it sit in a shell/environment variable :-) -- If you're paranoid you can always kill off the agent when your script is done. – voretaq7 Jan 26 '11 at 19:18
  • I agree with voretaq7. Your passphrase will have to be stored in plaintext *somewhere*. At that point it's not more secure than having an unencrypted private key in the first place. – SmallClanger Jan 26 '11 at 19:22
  • I definitely wasn't thinking of storing the password. My concern is if I walk away from my desk for a second, someone can get access to the servers because of the agent. If I use a script, once my script stops, no one can get access to the servers without my password. – mhost Jan 26 '11 at 19:23
  • @mhost The simple and obvious solution: Lock your screen before you walk away, and don't share your login info. The less simple solution: Spawn the agent, load the key, spawn & background all your SSH subprocess, kill the agent (waiting for the subprocesses to terminate is left as an exercise for the scripter :-) – voretaq7 Jan 26 '11 at 19:30
  • I do always lock my screen. It's more just a precaution in case I ever forget. Anyways, this does answer my question. I really just wanted to know if there was a built-in way to do this. I will use ssh-agent. Thanks. – mhost Jan 26 '11 at 19:50
1

I would use a SSH key that doesn't have a passkey. It may be less secure, but any method that will allow unattended use will have the same flaw.

Michael Munsey
  • 131
  • 2
1

Here are my 2 cents!

  • I have a USB drive that is always with me (in my physical key chain).
  • I make a second partition of 5 insignificant MB in it. This partition is an encrypted ext4 partition.
  • I store my private key (without passkey) in that encrypted partition.
  • In my computer I store the password to decrypt this partition in the file manager (I use dolphin) so if I plug the USB drive I can mount the encrypted partition with two single clicks, and if I plug the USB drive in another computer I can mount it typing the password.
  • Again in my computer I have symlinked my private keys from it usually are (~/.ssh/id_rsa) to where they are when mounted with the USB drive. So once mounted I can make a usual ssh without password.
  • If I am in another computer I can tell ssh where my key is with the -i flag

This way I can:

  • Login comfortably from my everyday computer
  • Log in with a single password from any linux machine
  • Have my private keys always safe with me and in a encrypted filesystem
dantefff
  • 11
  • 1
0

Expect is the solution that comes to mind first...

Check this script example, as it is close to what you're looking for.

ewwhite
  • 197,159
  • 92
  • 443
  • 809
  • Expect, and any other form of scripting, is a really poor solution to this problem. – Alex Holst Jan 26 '11 at 19:13
  • Yeah I thought of that too, but I was just wondering if there was a simple way. Like you can do with gpg passwords. – mhost Jan 26 '11 at 19:15
  • Obviously there are security issues in this case, but expect is a useful tool for people to know about. – pjc50 Mar 02 '11 at 13:33
0

Easiest solution is installing package sshpass and use it like:
sshpass -p password ssh -i keyfile.pem user@server

Arash
  • 284
  • 1
  • 8