I've got a sh-script for a backup
scp /mybackupdir/* backupuser@backupserver:/backup
Is there an easy way to add a passphrase to the scp? Or do I have to check if an ssh-agent is running and if not start one and add the key?
Asked
Active
Viewed 1.7k times
5 Answers
6
You can't provide passphrase to scp with argument.
However you can use authentication by key: ssh-keygen will generate rsa keys pair for authentication ssh-copy-id will copy your public key to another host.
if you can't or don't want to use authentication by keys then you can write expect script and provide passphrase from this script. It's not most secure way of implementing this!
Navern
- 1,569
- 1
- 9
- 14
-
+1 for this answer. If you create a passphraseless custom keypair for this purpose, then (a) revoking access if it gets lost is much easier, and (b) you can tie that particular key down in terms of source hosts and commands in `authorized_keys`. – MadHatter Aug 20 '14 at 14:43
6
First, let's sort out some factoids that are easy to confuse:
- SSH (and hence scp) supports various methods of authentication. The two most popular by far are "password" and "publickey"
- If one uses "publickey", then the client side has to have a private and a public key file [1]. The private one may or may not be encrypted with a passphrase
- When the "publickey" method is used, the ssh-agent can hold private keys in memory. This can be handy when a private key file is encrypted and one doesn't want to type in its passphrase time and again. But the ssh-agent is of NO help where the password-based authentication method is used.
In the context of SSH, when people use the term ...
- ... "password", they usually mean the password-based authentication method
- ... "passphrase", they usually mean the passphrase a private key file is encrypted with
... but of course that is only a convention and a great source of confusion.
That said, I try to answer your question:
In case you mean password-based SSH authentication:
- Use a client software that allows to provide the SSH password in batch mode (e.g. as command line option, as STDIN, or as a environment variable). OpenSSH does NOT support this!
- Or wrap an 'expect' script around ssh/scp, as discussed in [2].
- Or switch from password-based to publickey authentication.
In case you mean publickey authentication with a passphrase-encrypted private key file:
- Remove the passphrase protection from the private key file, see e.g. [3].
- Or preload the key manually into a ssh-agent, and make sure that (a) the ssh-agent is still alive when the script runs, and (b) that the script can find the agent's unix socket ($SSH_AUTH_SOCK)
- [1] In the case of OpenSSH e.g. ~/.ssh/id_dsa and ~/.ssh/id_dsa.pub. The content of the latter should get appended to the server-side's ~/.ssh/authorized_keys
- [2] https://stackoverflow.com/questions/19101879/bash-expect-script-for-ssh
- [3] https://stackoverflow.com/questions/112396/how-do-i-remove-the-passphrase-for-the-ssh-key-without-having-to-create-a-new-ke
Nils Toedtmann
- 3,202
- 5
- 25
- 36
1
You should read this post:
3 Steps to Perform SSH Login Without Password Using ssh-keygen
and you can change your script to this:
rsync --rsh='ssh -p(Type your SSH port)' -av /yourBackupDir backupUser@backupserver.example.com:/backup | mail -s "backup on `hostname`" your@email.account
d.b
- 11
- 1
-
1Summarize the content on the linked page — it may fail to load in the future or have different content. – 89c3b1b8-b1ae-11e6-b842-48d705 Aug 20 '14 at 15:07
1
You don't need ssh-agent for publickey authentication. You can simply pass the required key to ssh or scp with the -i command line argument.
kichik
- 156
- 6
-
`-i` will prompt for a password if the private key is password protected. That's what they mean with "with passphrase" – Demur Rumed Oct 22 '20 at 14:58
