scp inside sh-script with passphrase

I've got a sh-script for a backup

scp /mybackupdir/* backupuser@backupserver:/backup

Is there an easy way to add a passphrase to the scp? Or do I have to check if an ssh-agent is running and if not start one and add the key?


First, let's sort out some factoids that are easy to confuse:

  • SSH (and hence scp) supports various methods of authentication. The two most popular by far are "password" and "publickey"
  • If one uses "publickey", then the client side has to have a private and a public key file [1]. The private one may or may not be encrypted with a passphrase
  • When the "publickey" method is used, the ssh-agent can hold private keys in memory. This can be handy when a private key file is encrypted and one doesn't want to type in its passphrase time and again. But the ssh-agent is of NO help where the password-based authentication method is used.

In the context of SSH, when people use the term ...

  • ... "password", they usually mean the password-based authentication method
  • ... "passphrase", they usually mean the passphrase a private key file is encrypted with

... but of course that is only a convention and a great source of confusion.


That said, I try to answer your question:

In case you mean password-based SSH authentication:

  • Use a client software that allows to provide the SSH password in batch mode (e.g. as command line option, as STDIN, or as a environment variable). OpenSSH does NOT support this!
  • Or wrap an 'expect' script around ssh/scp, as discussed in [2].
  • Or switch from password-based to publickey authentication.

In case you mean publickey authentication with a passphrase-encrypted private key file:

  • Remove the passphrase protection from the private key file, see e.g. [3].
  • Or preload the key manually into a ssh-agent, and make sure that (a) the ssh-agent is still alive when the script runs, and (b) that the script can find the agent's unix socket ($SSH_AUTH_SOCK)

  • [1] In the case of OpenSSH e.g. ~/.ssh/id_dsa and ~/.ssh/id_dsa.pub. The content of the latter should get appended to the server-side's ~/.ssh/authorized_keys
  • [2] https://stackoverflow.com/questions/19101879/bash-expect-script-for-ssh
  • [3] https://stackoverflow.com/questions/112396/how-do-i-remove-the-passphrase-for-the-ssh-key-without-having-to-create-a-new-ke

You can't provide passphrase to scp with argument.

However you can use authentication by key: ssh-keygen will generate rsa keys pair for authentication ssh-copy-id will copy your public key to another host.

if you can't or don't want to use authentication by keys then you can write expect script and provide passphrase from this script. It's not most secure way of implementing this!