how to avoid being asked "Enter passphrase for key " when I'm doing ssh operation on a remote host?

46

24

I'm ssh into a remote host (linux, fedora) and I want to do ssh operation(git with bitbucket) there. There is ssh-agent running on that machine,

$ ps -e|grep sh-agent
 2203 ?        00:00:00 ssh-agent

but when I want to git, it requires me to enter the passphrase

$ git pull
Enter passphrase for key '/user/wgong/home/.ssh/id_rsa':

Note: if I operate on that machine locally, it won't ask me to enter the passphrase

lily

Posted 2015-10-18T03:00:07.260

Reputation: 705

1I haven't used it but there's a command ssh-add that I think is used for that kind of thing – barlop – 2015-10-18T03:38:58.970

Answers

85

In my opinion the best way of using ssh

Before using Git add your key to ssh-agent

Start ssh-agent if not started:

$ eval `ssh-agent -s`

Add your private key using ssh-add

$ ssh-add ~/.ssh/id_rsa_key
Enter passphrase for /home/user/.ssh/id_rsa_key:
Identity added: /home/user/.ssh/id_rsa_key
(/home/user/.ssh/id_rsa_key)

Check if the key is added (parameter is a lowercase L):

$ ssh-add -l
2048 55:96:1a:b1:31:f6:f0:6f:d8:a7:49:1a:e5:4c:94:6f
/home/user/.ssh/id_rsa_key (RSA)

Try to connect to your Git server:

$ ssh git.example.com

Now you can use Git without extra passphrase prompts.

Other ways

https://unix.stackexchange.com/questions/90853/how-can-i-run-ssh-add-automatically-without-password-prompt

Roman

Posted 2015-10-18T03:00:07.260

Reputation: 961

but I have used Git add your key to ssh-agent, then how to do? thanks – lily – 2015-10-23T01:41:29.973

@lily Sorry, I don't understand your question. – Roman – 2015-10-23T08:31:27.297

1This is the solution that worked for me. – Skatox – 2016-09-23T04:34:47.047

@Roman Your solution works for me within a same xterm session. But when I open a new xterm session, I have to do it again. Also the file name for me is “~/.ssh/id_ras” rather than “~/.ssh/id_ras_key”. Finally I have found another solution that works for multiple xterm sessions: link where a single command is needed: ssh-add ~/.ssh/id_rsa &>/dev/null

– jonathanzh – 2017-03-30T23:01:22.783

2How do I make this persistent? Simply put it into .bashrc? – oarfish – 2017-10-14T08:08:44.280

Executed those commands on Windows 10 from Git Bash and it worked! – WallTearer – 2017-10-21T19:30:04.813

1

FYI, the eval is needed because it outputs commands that export environment variables like SSH_AUTH_SOCK that are needed. https://unix.stackexchange.com/questions/351725/why-eval-the-output-of-ssh-agent/351727

– wisbucky – 2019-05-24T20:10:57.180

not work for me, all commands were successfull, the output from ssh git@github.com was Hi, <name>, you successfully authenticated, but GitHub doesn't provide shell access. Connection to github.com closed. then I have tried git fetch but was asked about the passphrase again and again. – Nikita – 2020-01-19T10:15:46.773

@Nikita https://help.github.com/en/github/authenticating-to-github/using-ssh-over-the-https-port

– Roman – 2020-01-20T05:29:34.590

24

If you already have ssh-agent running then you can add the key, and you'll have to enter the passphrase once, and once only for that session.

ssh-add ~/.ssh/id_rsa

You don't say what OS you're using, but if it happens to be Linux & Gnome then the "Passwords and Keys" application (CLI name: seahorse) can manage these so they are unlocked when you log in (no passphrase required). Other Linux desktop environments have their own managers. I'm not sure what other OS do here.

ams

Posted 2015-10-18T03:00:07.260

Reputation: 951

3

The main reason for passphrase asking is that your key is encrypted, compare these two:

  • not encrypted

    $ head ~/.ssh/id_rsa 
-----BEGIN RSA PRIVATE KEY-----            
AIIAogIBAAKCAQEAtOJQ0Z3ZbyzuknnHqn5oMCmNf8zGmERhW+g5Eftf9daZ5qvZ

  • encrypted

    $ head ~/.ssh/id_rsa 
-----BEGIN RSA PRIVATE KEY-----    
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,A95215C9E9FE00B8D73C58BE005DAD82

ZAzLq/LbHSfOVkXtQz6M6U8yuAx2lIu9bH/k7ksgat92IDjZntRrT1XMpkYtjB+0

So you have to do one of the following:

  1. If it's encrypted you can try to remove the encryption.
  2. You're using wrong key. If you'd like to use different key, specify other file or edit your ~/.ssh/config and specify different identity file (IdentityFile).
  3. Run ssh-add -l to list all your identities (then compare with your local) and double check with Stash if you're using the right keys (they exists on Stash configuration).

  4. If you know passphrase and you want to automate it, try the following workaround:

    PS="my_passphrase"
install -vm700 <(echo "echo $PS") $PWD/my_pass
DISPLAY= SSH_ASKPASS=$PWD/my_pass ssh-add - && rm -v my_pass

Troubleshooting:

  1. Double check your SSH agent is running (eval "$(ssh-agent -s)").
  2. Re-run git via: GIT_TRACE=1 git pull or with GIT_SSH_COMMAND="ssh -vv" (Git 2.3.0+) to debug your command again.

  3. You can try to bypass asking for the passphrase (which will redirect it into true), but I don't think it'll help. If it asks for it, there is a reason for that and it's basically required.

    DISPLAY= SSH_ASKPASS=/bin/true ssh-add

kenorb

Posted 2015-10-18T03:00:07.260

Reputation: 16 795

2

The ssh-add program starts an agent which can hold (and provide) your passphrase. The way to use it remotely is in a parent of your interactive shell (so that the agent does not stop).

Here are a few related questions:

Now... connecting remotely, as a rule your command does not log in as such, so it does not start ssh-add. You could work around this, by executing a script which

  • starts ssh-agent
  • starts ssh-add
  • adds your key
  • runs the command that you want.

The weak point is the second step: you would still get prompted for the passphrase, unless you weaken your security by using a key that has no passphrase. Some people do this, most people advise against.

Thomas Dickey

Posted 2015-10-18T03:00:07.260

Reputation: 6 891

ssh-add does not start the agent. It connects to an already-running agent. – ams – 2015-10-21T15:20:37.303

Thanks - I'm used to doing these in separate scripts, and overlooked the missing part. – Thomas Dickey – 2015-10-21T20:47:51.803

1

You will still get password prompt to decrypt private key even if it is loaded into ssh-agent until the corresponding SSH public key is added into remote ~/.ssh/authorized_keys.

To reproduce:

# We are about to ssh to localhost, therefore, unauthorized everyone.
$ rm ~/.ssh/authorized_keys

$ eval $(ssh-agent)
# Agent pid 9290

$ ssh-add
# Enter passphrase for /home/uvsmtid/.ssh/id_rsa: 
# Identity added: /home/uvsmtid/.ssh/id_rsa (/home/uvsmtid/.ssh/id_rsa)

$ ssh localhost
# Enter passphrase for key '/home/uvsmtid/.ssh/id_rsa':
# uvsmtid@localhost's password:
  # NOTE: See password prompt for private key
  #       (and only then prompt for remote login).
  #       Why? Isn't the private key is already loaded by `ssh-add`?

$ ssh-copy-id localhost
$ ssh localhost
  # NOTE: No password for private key anymore.
  #       The key is served by `ssh-agent`.

Confusing enough. Remote SSH login password would be enough in this case.

I can speculate that this prevents adding your public key (which is paired with encrypted private key) without knowing encryption password for corresponding private key. It is one-time-per-remote-login procedure anyway.

uvsmtid

Posted 2015-10-18T03:00:07.260

Reputation: 113

0

You can easily remove passphrase of your key by using the following command

ssh-keygen -p

On the first prompt, enter the file path (or press Enter to change the default) Second prompt, enter the old passphrase Next prompt, just press enter to unset the passphrase

Looks like this is the easiest way!

Justin Samuel

Posted 2015-10-18T03:00:07.260

Reputation: 1

Asked: 2015-10-18T03:00:07.260

Viewed: 120 035 times

Active: 2018-04-28T12:03:15.067