Specify private key in SSH as string

Question

I can connect to a server via SSH using the -i option to specify the private key:

ssh -i ~/.ssh/id_dsa user@hostname

I am creating a script that takes the id_dsa text from the database but I am not sure how I can give that string to SSH. I would need something like:

ssh --option $STRING user@hostname

Where $STRING contains the value of id_dsa. I need to know the --option if there is one.

Only reason I asked was to give specific advice on creating temp files. But the info given by @Kimvais is sufficient. — Rajesh J Advani, Aug 21 '12 at 15:40

score 50 · Answer 1 · answered Apr 19 '13 at 10:42

50

Try the following:

echo $KEY | ssh -i /dev/stdin username@host command

The key doesn't appear from a PS statement, but because stdin is redirected it's only useful for single commands or tunnels.

answered Apr 19 '13 at 10:42

user2132025

509
1
4
2

2

Not working with ssh 6.9p1: Pseudo-terminal will not be allocated because stdin is not a terminal. – sivann Nov 09 '15 at 20:04
2

note also, if you use this verbatim, replacing $KEY with your actual key, you'll leak it through your shell's history. The key should really come from stdin, not from shell. – Olaf Kock Mar 02 '17 at 19:27
10

This only gives me: ```@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0660 for '/dev/stdin' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key "/dev/stdin": bad permissions Permission denied (publickey).``` – MPV Apr 10 '17 at 14:47
will work via `fifo`, see https://unix.stackexchange.com/a/235392/78029 – ab77 Jul 18 '18 at 19:36
`$KEY` must be quoted: `echo "$KEY"` – KiriSakow Apr 21 '23 at 14:40

Kimvais · Accepted Answer · 2012-08-21T09:44:27.530

15

There is no such switch - as it would leak sensitive information. If there were, anyone could get your private key by doing a simple ps command.

EDIT: (because of theg added details in comment)

You really should store the key in to a temporary file. Make sure you set the permissions correctly before writing to the file, if you do not use command like mktemp to create the temporary file.

~~Make sure you run the broker (or agent in case of OpenSSH) process and load the key using <whatever command you use to fetch it form the database> | ssh-add -~~

edited Aug 21 '12 at 09:44

answered Aug 20 '12 at 17:47

Kimvais

38,306
16
108
142

3

I am not sure if I understand your second paragraph. I do not want any agent involved. I am using ssh shell command in a Ruby application, where I have an infrastructure with associated a public and private key. With the private key, taken from the record of the infrastructure, I want to connect and run a command on a remote host . That's why I want to keep the private key in the record of the infrastructure. But probably is better to store the path of a file and pass the path to ssh command. – rtacconi Aug 20 '12 at 18:00
3

@rtacconi You could implement the [ssh-agent protocol](http://api.libssh.org/rfc/PROTOCOL.agent). – ephemient Aug 20 '12 at 19:29
@kimvais I checked in the man ssh and I cannot see any option to use a string instead of a file. – rtacconi Aug 21 '12 at 08:31
3

I disagree with this sentiment. I'd argue that transient data is always more secure than permanent data. With the right tools most deleted files can still be read. I'm looking for a solution which receives keys from a server and utilizes them on the fly as part of a CI process. Perhaps a shell is the wrong tool for this? – Alex Jansen Jan 15 '19 at 01:50

SAGAR BHOOSHAN · Answer 3 · 2019-05-21T00:51:03.563

Passing cryptokey as a string is not advisable but for the sake of the question, I would say I came across the same situation where I need to pass key as a string in a script. I could use key stored in a file too but the nature of the script is to make it very flexible, containing everything in itself was a requirement. so I used to assign variable and pass it and echo it as follows :

#!/bin/bash
KEY="${ YOUR SSH KEY HERE INSIDE }"
echo "${KEY}" | ssh -q -i /dev/stdin username@IP 'hostnamectl'
exit 0

Notes: -q suppress all warnings

By the way , the catch here in above script, since we are using echo it will print the ssh key which is again not recommended , to hide that you can use grep to grep some anything which will not be printed for sure but still stdin will have the value from the echo. So the final cmd can be modified as follows :

#!/bin/bash
KEY="${ YOUR SSH KEY HERE INSIDE }"
echo "${KEY}" | grep -qw "less" | ssh -q -i /dev/stdin username@IP 'hostnamectl'
exit 0

This worked for me.

Kruzchy Klaperman · Answer 4 · 2022-08-05T06:39:22.217

I was looking at the same problem. Adding private key content to ssh command via stdin did not work for me. I found out that its possible to add the private key file contents to ssh-agent using the command ssh-add. This will let you ssh into the remote host without explicitly specifying the identity file. My particular usecase was that I didn't want to store the SSH key in cleartext on my machine and was dynamically getting it from a secrets vault. This answer is mostly a collection of other answers on StackOverflow.

ssh-agent is a program to hold private keys used for public key authentication. Through use of environment variables the agent can be located and automatically used for authentication when logging in to other machines using ssh

Source

This is what I have done. First start the ssh-agent.
You can start it from your terminal by simply executing ssh-agent.
OPTIONAL: If you'd like to make sure ssh-agent is running on every login, you can add something like the following to your shell config. This is what I have added to my ~/.bashrc file.

# set SSH_AUTH_SOCK env var to a fixed value
export SSH_AUTH_SOCK=~/.ssh/ssh-agent.sock

# test whether $SSH_AUTH_SOCK is valid
ssh-add -l 2>/dev/null >/dev/null

# if not valid, then start ssh-agent using $SSH_AUTH_SOCK
[ $? -ge 2 ] && ssh-agent -a "$SSH_AUTH_SOCK" >/dev/null

Source (This particular snippet also makes sure new ssh-agent processes are not getting created when there's one already running.)

Now you have the ssh-agent running. Since we're interested in loading SSH key as a string, I'll assume a scenario where private key contents has already been loaded in to a variable, $SSH_PRIVATE_KEY.

I can now add this Key contents to the ssh-agent by executing the following command.

ssh-add - <<< "${SSH_PRIVATE_KEY}"

This can just be added to the bashrc file as well. You can confirm that your key has been added by listing all keys by executing ssh-agent -l. Aaand you're done now.

Try connecting to the remote host and you don't need a private key file.

ssh username@hostname

This does come with extra security risks. These are some I could think of:

Adding the private key to the ssh-agent will let any process on the machine access the key to authenticate remote hosts without explicitly providing any information.
Since the goal is to load Private key as a string, it will either be stored in a variable or the contents embedded directly in the command. This might make the key available in command history, the shell variable and other places.

Specify private key in SSH as string

4 Answers4

Linked

Related