1

Has anyone found sshpass works to set a phassphrase for ssh or git clones?

I have a github repo with a deploy key and a passphrase

This results in prompt for passphrase as expected and clone upon manual key-in of it

git clone git@github:me/myrepo.git

This results in a hang

sshpass -p "secret" -v git clone git@github:me/myrepo.git

This seems to happen because the search string will never match the actual string but there seems no way to alter the search string.

SSHPASS searching for password prompt using match "assword"
SSHPASS read: Enter passphrase for key '/home/jenkins/.ssh/id_rsa':
Eva Brigid
  • 75
  • 7

1 Answers1

1

That is because you cannot use sshpass to provide a passphrase, only a password in user/password vs private key ssh.

Assuming you are using Jenkins - and since you are me, you are. we can resolve the problem following this strategy:

  1. obtain key and passphrase
  2. setup ssh wrapper to use the keyfile automatically
  3. setup ssh-agent to enable provisioning of passphrase and automatic handout upon request by ssh
  4. use expect to install passphrase in ssh-agent

thanks to @jayhendren for turning me on to the ssh-agent plugin

The Jenkins pipeline groovy code

/**
 * generate stand in executable for ssh to ensure we use the correct id and do not look in home's .sshdir
 * @return path to shell script wrapper for ssh
 */
def getSshWrapper(def keyPath) {
    def wrapper = "${pwd()}/ssh"
    writeFile file: wrapper, text: """#!/usr/bin/env sh
/bin/ssh -i ${keyPath} \$*"""
    sh "chmod 700 ${wrapper}"
    return wrapper
}

/**
 * Enable ssh and git to use a deploy key with a passphrase
 * @param credentialId jenkins id of private key / passphrase
 * @param closure actions to perform
 * @return result of actions
 */
def withDeployKey(def credentialId, closure) {
    def result

    // Start ssh agent and add key
    def helperFilesDir = './build/helperFiles'
    def envSettings = ["PATH=${helperFilesDir}:${env.PATH}"]
        withEnv(envSettings) {
            withCredentials([sshUserPrivateKey(credentialsId: credentialId,
                    passphraseVariable: 'PASSPHRASE',
                    keyFileVariable: 'KEY_FILE_PATH')]) {

                println "Setup Ssh Wrapper to use credentials key"
                dir(helperFilesDir) {
                    getSshWrapper(KEY_FILE_PATH)
                }

                // Run closure
                println "run closure"
                sshagent(credentials: [credentialId]) {
                    result = closure()
                }
            }
        }
    return result
}

Example

withDeployKey('my-deploy-key') {
   sh "git clone git@github:me/myrepo.git'
}
Eva Brigid
  • 75
  • 7