how to avoid being asked "Enter passphrase for key " when I'm doing ssh operation on a remote host?
In my opinion the best way of using ssh
Before using Git add your key to ssh-agent
Start ssh-agent if not started:
$ eval `ssh-agent -s`
Add your private key using ssh-add
$ ssh-add ~/.ssh/id_rsa_key
Enter passphrase for /home/user/.ssh/id_rsa_key:
Identity added: /home/user/.ssh/id_rsa_key
(/home/user/.ssh/id_rsa_key)
Check if the key is added (parameter is a lowercase L):
$ ssh-add -l
2048 55:96:1a:b1:31:f6:f0:6f:d8:a7:49:1a:e5:4c:94:6f
/home/user/.ssh/id_rsa_key (RSA)
Try to connect to your Git server:
$ ssh git.example.com
Now you can use Git without extra passphrase prompts.
Other ways
https://unix.stackexchange.com/questions/90853/how-can-i-run-ssh-add-automatically-without-password-prompt
If you already have ssh-agent
running then you can add the key, and you'll have to enter the passphrase once, and once only for that session.
ssh-add ~/.ssh/id_rsa
You don't say what OS you're using, but if it happens to be Linux & Gnome then the "Passwords and Keys" application (CLI name: seahorse
) can manage these so they are unlocked when you log in (no passphrase required). Other Linux desktop environments have their own managers. I'm not sure what other OS do here.
You can easily remove passphrase of your key by using the following command
ssh-keygen -p
On the first prompt, enter the file path (or press Enter to use the default)
Second prompt, enter the old passphrase
Next prompt, just press enter to unset the passphrase
Looks like this is the easiest way!
The main reason for passphrase asking is that your key is encrypted, compare these two:
-
not encrypted
$ head ~/.ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- AIIAogIBAAKCAQEAtOJQ0Z3ZbyzuknnHqn5oMCmNf8zGmERhW+g5Eftf9daZ5qvZ
-
encrypted
$ head ~/.ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,A95215C9E9FE00B8D73C58BE005DAD82 ZAzLq/LbHSfOVkXtQz6M6U8yuAx2lIu9bH/k7ksgat92IDjZntRrT1XMpkYtjB+0
So you have to do one of the following:
- If it's encrypted you can try to remove the encryption.
- You're using wrong key. If you'd like to use different key, specify other file or edit your
~/.ssh/config
and specify different identity file (IdentityFile
). - Run
ssh-add -l
to list all your identities (then compare with your local) and double check with Stash if you're using the right keys (they exists on Stash configuration). -
If you know passphrase and you want to automate it, try the following workaround:
PS="my_passphrase" install -vm700 <(echo "echo $PS") $PWD/my_pass DISPLAY= SSH_ASKPASS=$PWD/my_pass ssh-add - && rm -v my_pass
Troubleshooting:
- Double check your SSH agent is running (
eval "$(ssh-agent -s)"
). - Re-run git via:
GIT_TRACE=1 git pull
or withGIT_SSH_COMMAND="ssh -vv"
(Git 2.3.0+) to debug your command again. -
You can try to bypass asking for the passphrase (which will redirect it into
true
), but I don't think it'll help. If it asks for it, there is a reason for that and it's basically required.DISPLAY= SSH_ASKPASS=/bin/true ssh-add
The ssh-add
program starts an agent which can hold (and provide) your passphrase. The way to use it remotely is in a parent of your interactive shell (so that the agent does not stop).
Here are a few related questions:
- Running ssh-agent from a shell script
- Start ssh-agent on login
- Using ssh-agent with ssh
Now... connecting remotely, as a rule your command does not log in as such, so it does not start ssh-add
. You could work around this, by executing a script which
- starts
ssh-agent
- starts
ssh-add
- adds your key
- runs the command that you want.
The weak point is the second step: you would still get prompted for the passphrase, unless you weaken your security by using a key that has no passphrase. Some people do this, most people advise against.