I am trying to add a key to ssh-agent and want ssh-add to read the password from the key file I'm using. How is this possible?
How do I automate this process from the shell script?
Asked
Active
Viewed 5.6k times
48
-
1Why not just store a copy of the key without any password applied in the same place with the same permissions as you would store the password? – Charles Duffy Oct 19 '15 at 18:50
-
See https://unix.stackexchange.com/questions/90853/how-can-i-run-ssh-add-automatically-without-a-password-prompt and https://stackoverflow.com/questions/18880024/start-ssh-agent-on-login – icc97 Jan 14 '21 at 11:46
-
... and https://unix.stackexchange.com/a/571744 – djvg Oct 06 '21 at 12:23
7 Answers
50
Depending on your distribution and on the version of ssh-add you may be able or not to use the -p option of ssh-add that reads the passphrase from stdin in this way:
cat passfile | ssh-add -p keyfile
If this is not working you can use Expect, a Unix tool to make interactive applications non-interactive. You'll have to install it from your package manager.
I have written a tool for you in expect. Just copy the content in a file named ssh-add-pass and set executable permissions on it (chmod +x ssh-add-pass). You can also copy it to /usr/bin or /usr/local/bin to be accessible from the $PATH search.
#!/bin/bash
if [ $# -ne 2 ] ; then
echo "Usage: ssh-add-pass keyfile passfile"
exit 1
fi
eval $(ssh-agent)
pass=$(cat $2)
expect << EOF
spawn ssh-add $1
expect "Enter passphrase"
send "$pass\r"
expect eof
EOF
The usage is simply: ssh-add-pass keyfile passfile
Ed Neville
- 155
- 1
- 10
enrico.bacis
- 30,497
- 10
- 86
- 115
-
4there is no -[Pp] option in ssh-add - error ssh-add: illegal option -- P – Satish Oct 23 '12 at 16:06
-
1It used to have in some distributions. Which distribution are you using? I'll let the answer so people with a compatible distribution may find it useful. – enrico.bacis Oct 23 '12 at 16:12
-
1They closed the question, but I still wanted to help. Try the new way I posted and let me know! – enrico.bacis Oct 23 '12 at 17:17
-
I have a one more issue related above script how do i add "ssh-agent bash" command in it. problem is it spawn a new shell and it failed. – Satish Oct 23 '12 at 18:34
-
-
without ssh-agent you can't run ssh-add command. check out https://spaces.seas.harvard.edu/display/USERDOCS/Storing+Your+Keys+-+SSH-Agent,+Agent+Forwarding,+and+Keychain – Satish Oct 23 '12 at 18:46
-
No, its not working. you have to run "ssh-agent bash" option it won't work without bash argument? – Satish Oct 24 '12 at 13:52
-
1Try to change the `eval $(ssh-agent)` with `ssh-agent bash` or with `eval \`ssh-agent -s\`` – enrico.bacis Oct 24 '12 at 14:24
-
1I have tried `eval` ```ssh-agent -s``` and it ran all commands but after that script return back to original bash and it lost that key. Its all depend on spawning bash and use same bash to run ssh-add – Satish Oct 24 '12 at 14:31
-
I suggest you to start another question because now the question is not how to pass a passphrase to ssh-add (which you know now and is the question asked here), but is how to script ssh-agent + ssh-add. I suggest you to add also your distribution version in the new question. Hope it helps :) – enrico.bacis Oct 24 '12 at 14:52
-
let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/18528/discussion-between-enrico-bacis-and-satish) – enrico.bacis Oct 24 '12 at 16:57
18
Similar to the answer by kenorb, but doesn't save the secret in a file:
$ SSH_ASKPASS=/path/to/ssh_give_pass.sh ssh-add $KEYFILE <<< "$KEYPASS"
where ssh_give_pass.sh is:
#!/bin/bash
# Parameter $1 passed to the script is the prompt text
# READ Secret from STDIN and echo it
read SECRET
echo $SECRET
If you have you secret in a $KEYPASSFILE, read it into a variable first with
KEYPASS=`cat $KEYPASSFILE`
Also make sure that ssh_give_pass.sh is not editable by unauthorized users - it will be easy to log all secrets passed through the script.
Ray Shannon
- 189
- 1
- 3
-
Very nice! I think this could be improved even more- since the questioner wants this as part of a script, you can go: SSH_ASKPASS="$0", and then have – cmc Feb 12 '19 at 15:26
-
3This is by far the most elegant- no saving passwords anywhere. Tiny shortening, replace read SECRET ; echo $SECRET with cat Also, since this is for use in a script, the script itself can double as askpass using SSH_ASKPASS=$0, then check $1 to see if is being called normally or as askpass – cmc Feb 12 '19 at 16:17
-
3if DISPLAY isn't set, ssh-add won't respect the SSH_ASKPASS variable. So in case the above solution isn't working, check this one first. – petkov.np Jul 31 '19 at 18:33
-
2@petkov.np `DISPLAY=:0 SSH_ASKPASS=/path/to/ssh_give_pass.sh ssh-add $KEYFILE <<< "$KEYPASS"` – aff Oct 09 '20 at 08:30
-
-
-
1
-
No, @Jon, the variable is DISPLAY and the desired value is ":0", a colon followed by the number zero. In bash, ${DISPLAY:=0} will CONDITIONALLY set DISPLAY to just "0" (without the important COLON character) if DISPLAY is not already set -- this was not the intent. – dashrb Aug 10 '22 at 18:50
12
Here is some workaround for systems not supporting -p:
$ PASS="my_passphrase"
$ install -vm700 <(echo "echo $PASS") "$PWD/ps.sh"
$ cat id_rsa | SSH_ASKPASS="$PWD/ps.sh" ssh-add - && rm -v "$PWD/ps.sh"
where ps.sh is basically your script printing your passphrase. See: man ssh-add.
To make it more secure (to not keep it in the same file), use mktemp to generate a random private file, make it executable (chmod) and make sure it prints the passphrase to standard output once executed.
kenorb
- 155,785
- 88
- 678
- 743
-
1Very creative way to fake-out interactive input in this special case where `ssh-add` allows you to swap-out the `SSH_ASKPASS` binary per-call like that. – Mike Atlas Dec 19 '15 at 02:51
-
3Correct, but `ps.sh` is a security risk, and a rm is a quite weak way to hide it, you should at least do a `shred -u`, but even shred is inefficient on modern fs like ext4 and a lot more on btrfs. So create your file in shared memory `/dev/shm` or `/run/user/
`, and shred it after use. An other option is to put `ps.sh` on an encrypted filesystem. – marcz Apr 15 '16 at 09:35 -
This solution works great for me, but only if I set `DISPLAY=:0` as the man page for ssh-add suggests (Ubuntu 16.04) – Antoine Cotten May 23 '16 at 14:03
-
On my Bionic, I had to redirect ssh-add's stdin from /dev/null, as the man page suggested. – Egor Tensin May 20 '18 at 15:41
11
On my Ubuntu system, none of the answers worked:
ssh-adddid not support the-poption.ssh-addignored SSH_ASKPASS, insisting on prompting for the passphrase on the controlling terminal.- I wanted to avoid installing additional packages, especially
expect.
What worked in my case was:
password_source | SSH_ASKPASS=/bin/cat setsid -w ssh-add keyfile
password_source isn't really a program: it just represents whatever feeds the passphrase to ssh-add. In my case, it is a program that executes setsid and writes the passphrase to its stdin. If you keep your passphrase in a file, you are responsible for making the simple modifications: I will not enable you to hurt yourself.
setsid was already installed, and detaches the controlling terminal so that ssh-add will not try to use it to prompt for the passphrase. -w causes setsid to wait for ssh-add to exit and make its return code available. /bin/cat has the same effect as the script Ray Shannon provided, but uses a standard tool instead of replicating its functionality with a script.
Steven Crain
- 179
- 2
- 3
-
Works perfectly on a relatively clean Debian; in my specific case it was: source | setsid -w ssh-keygen -p -f keyfile – Dawid Toton Jul 09 '21 at 20:16
-
Did you try to also provide SSH_ASKPASS_REQUIRE=force? I had to use that as soon had access to either the tty or DISPLAY – Adrien Nader Oct 14 '22 at 10:43
0
With this minimal changes worked for me this bash script of @enrico.basis
#!/bin/bash
if [ $# -ne 2 ] ; then
echo "Usage: ssh-add-pass passfile keyfile"
exit 1
fi
eval 'ssh-agent -s'
passwordToFileSSH=$1
pathFileSSH=$2
expect << EOF
spawn ssh-add $pathFileSSH
expect "Enter passphrase"
send "$passwordToFileSSH\r"
expect eof
EOF
Max
- 21
- 4
0
Came here looking for a specific solution, to load ssh-add from pass the unix password manager. Thanks to the great answers here, I put together a script that does this for me:
#!/usr/bin/env bash
# Get password from pass
set -euo pipefail
keyfile=$(echo "$1" | /usr/bin/env sed -n 's/Enter passphrase for \(.*\):\s*$/\1/p');
echo "Extracted key filename $keyfile" >&2
[[ -z "${keyfile}" ]] && exit 1
comment=$(/usr/bin/env ssh-keygen -l -f "$keyfile" | /usr/bin/env awk '{print $3}')
echo "Comment from keyfile $keyfile is $comment" >&2
[[ -z "${comment}" ]] && exit 1
passphrase=$(/usr/bin/env pass show "ssh/$comment")
[[ -z "${passphrase}" ]] && exit 1
echo "got passphrase for comment $comment: XXX" >&2
echo "$passphrase"
Invoked with this:
env SSH_ASKPASS=/usr/local/bin/pass-ssh-askpass.sh SSH_ASKPASS_REQUIRE=force ssh-add
This wouldn't be possible without the answers here, so thanks for that, making this as community wiki for the greater good.
Once my ssh-add supports the -p option, I'll look into a different solution, but until then this will have to do.
Shameless plug: https://github.com/YarekTyshchenko/pass-ssh-askpass
Yarek T
- 9,715
- 2
- 28
- 38
-8
The best way is to generate a key without a passphrase
Raed_bhk
- 1
-
If you have a new question, please ask it by clicking the [Ask Question](https://stackoverflow.com/questions/ask) button. Include a link to this question if it helps provide context. - [From Review](/review/late-answers/32963911) – Klapaucius Klapaucius Oct 21 '22 at 19:15