6

Is there a way to pass the contents of a private key directly to the scp command instead of having to copy it to a file and pointing at it via the -i /path/to/key.pem option?

So instead of doing:

scp -i key.pem source target

Can I do something like the following?

scp -i '-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAMIIEowIBAA...\n' source target

Of course I tried this and it doesn't work but maybe this can be achieved with some BASH piping, output redirection, or something like that.

The reason I need to do this is because I can't store the keys in the filesystem (it's a very long and boring story) and this command will need to be executed millions and millions of times with a different key each time so the extra disk i/o will be significant in our results.

Julian
  • 545
  • 3
  • 6
  • 16
  • 1
    I take your point except the bit about "*extra disk i/o*". If this key is being written ephemerally to a file, used, and then deleted, the chance of it being written to disc is nearly zero. Unless the system is very, very quiet, it will almost certainly be cached in RAM for the whole of its short lifetime. You could even get explicit and write it to a `tmpfs` file system to proveably never touch the discs. If the IO is the sole reason you're doing this, I'd say don't bother. – MadHatter May 02 '14 at 08:06
  • Would it be possible to mount a ramdisk, and store keys in that? – Gordon Davisson May 02 '14 at 14:25
  • @MadHatter, I omitted part of the problem because it is very hard to explain. The truth is that this is not an actual shell but some sort of hybrid that only has a couple of commands available (scp being one). We can't actually control the environment nor install anything on it. Passing the key in the command line will save me A LOT of coding, that's why I'm asking but I do have -long- ways around this. GordonDavisson, no I can't mount a ramdisk or "point" the key to an external location unfortunatelly. – Julian May 02 '14 at 17:52
  • Would it be possible to copy the files the other way around? Start scp on the target machine and copy from the source machine? – Gerald Schneider May 03 '14 at 07:31
  • @GeraldSchneider We don't have previous knowledge of what machines we will need to connect to and as time goes by this number will go up, so this isn't an option. – Julian May 03 '14 at 16:31
  • 3
    Julian, I suspect this has turned into a classic example of [the XY problem](http://meta.stackexchange.com/questions/66377/what-is-the-xy-problem) - you want to do X, have decided the right way is Y, can't make Y work and so ask about Y in isolation. Anything we say then fails because of undisclosed problems with X. Thus, such questions tend to get poor answers, or as in this case, none at all. I strongly recommend you overhaul this question to ask about what you're really trying to do (or delete it, and ask a new one). – MadHatter May 06 '14 at 07:47
  • @MadHatter I agree though I haven't decided the right way to do this. I can't disclose any more than I have so far and it seems that this does not have a direct solution. As I said, I have alternatives around this problem though not as performant. I will vote to close this question per your suggestion. – Julian May 06 '14 at 17:11
  • Duplicate: https://stackoverflow.com/questions/24116454/using-ssh-keys-with-scp-and-ssh – Melroy van den Berg Oct 29 '22 at 21:48

2 Answers2

4

If you can't disclose any more information we really can't help you: Questions on Server Fault need to provide sufficient context for us to intelligently analyze the problem, and this one doesn't.

What I can tell you definitively is that "passing the key on the command line" is a Bad Idea: if you do this you inherit all the problems discussed in this question which basically mean anyone on the machine can see your private key. (This is why the ssh, scp, and sftp commands don't let you do it.)

Consider using ssh-agent to handle your keys instead -- there are some additional implications here, but you can basically store your keys on the filesystem, load them into the agent, and then allow the agent to pass the keys along to the client for authentication purposes (which should solve, or at least reduce your performance issues).

If ssh-agent is not suitable for your needs you're pretty much down to hacking and recompiling the SSH client to support what you want in some way.

Community
  • 1
voretaq7
  • 79,879
  • 17
  • 130
  • 214
0

If you absolutely have to specify the file on the command line, you can upload a file like this:

echo -ne '-----BEGIN ...\n' | ssh target_host "cat > ~/.ssh/authorized_keys"

The -n option to echo suppresses the trailing newline. The -e option expands escape characters like \n. If you want to append to a file instead of replacing it, you can use >> instead of >.

Roger Chen
  • 9
  • 2