I want to load ssh key protected by passphrase from varible with ssh-add.
When I try to load it from file works well like this.
eval $(ssh-agent)
DISPLAY=1 SSH_ASKPASS="passwordfile" ssh-add id_rsa < /dev/null
Now I want to assign passphrase and the id_rsa to variables and use something like this:
eval $(ssh-agent)
DISPLAY=1 SSH_ASKPASS="$PASSPHRASE" ssh-add $ID_RSA < /dev/null
How I could achieve this?
The SSH_ASKPASS variable stores an executable, so you can specify a one-line script that simply outputs the value of the password variable:
Contents of ~/.ssh/askpass.sh (must be set to executable, e.g. chmod +x ~/.ssh/askpass.sh)
#!/bin/sh
echo "$PASSPHRASE"
Then you can run:
$ SSH_ASKPASS_REQUIRE=force SSH_ASKPASS="$HOME/.ssh/askpass.sh" ssh-add "$ID_RSA"
Full example:
$ export PASSPHRASE="test123" ID_RSA="$HOME/.ssh/test.rsa"
$ ssh-keygen -t rsa -b 4096 -o -a 100 -f "$ID_RSA"
Generating public/private rsa key pair.
Enter passphrase (empty fоr no passphrase): test123
Enter same passphrase again: test123
Your identification has been saved iո test.rsa
Your public key has been saved iո test.rsa.pub
The key fingerprint is:
SHA256:dLo1pYfzd33lb+GiI8QcES5jaLHEmNhrvRJiMWR3d58 adamhotep#tabasco
The key’s randomart image is:
+---[RSA 4096]----+
|.oo.++ . o. |
|.+.+o.= o.. . |
| o o+ +..oE. |
| o +....o+ + |
|. o . . S B . .|
| . . * = oo|
| . o . o *|
| . . o o+|
| ..o ...|
+----[SHA256]-----+
$ printf '#!/bin/sh\necho "$PASSPHRASE"\n' > ~/.ssh/askpass.sh
$ chmod +x ~/.ssh/askpass.sh
$ eval $(ssh-agent -s)
$ SSH_ASKPASS_REQUIRE=force SSH_ASKPASS="$HOME/.ssh/askpass.sh" ssh-add "$ID_RSA"
Identity added: test.rsa (adamhotep#tabasco)
(See also my ssh-keygen advice for why those extra arguments increase security.)
Related
I'm trying to store (append) the public key to a file (~/.ssh/authorized_keys) for a private key (private-key.pem) that actually is stored in s3, all using bash script.
Retrieving public key using a file:
ssh-keygen -y -f /path/to/private-key.pem
Output:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClKsfkNkuSevGj3eYhCe53pcjqP3maAhDFcvBS7O6V
hz2ItxCih+PnDSUaw+WNQn/mZphTk/a/gU8jEzoOWbkM4yxyb/wB96xbiFveSFJuOp/d6RJhJOI0iBXr
lsLnBItntckiJ7FbtxJMXLvvwJryDUilBMTjYtwB+QhYXUMOzce5Pjz5/i8SeJtjnV3iAoG/cQk+0FzZ
qaeJAAHco+CY/5WrUBkrHmFJr6HcXkvJdWPkYQS3xqC0+FmUZofz221CBt5IMucxXPkX4rWi+z7wB3Rb
BQoQzd8v7yeb7OzlPnWOyN0qFU0XA246RA8QFYiCNYwI3f05p6KLxEXAMPLE
Then manually add the content to the dest file, this is fine, but I want to do it with a command, retrieving a file stored in a s3 (public url) and append the content output to a file (~/.ssh/authorized_keys).
I tried this:
ssh-keygen -y -f /dev/stdin <<< `curl https://bucket.s3.amazonaws.com/private-key.pem` >> ~/.ssh/authorized_keys
Output:
Load key "/dev/stdin": invalid format
And this:
curl https://bucket.s3.amazonaws.com/private-key.pem | ssh-keygen -y -f /dev/stdin >> ~/.ssh/authorized_keys
Output:
Permissions 0660 for '/dev/stdin' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/dev/stdin": bad permissions
After looking other related question, found that fifo or named pipes can have permissions, so I tried this and worked as expected, hope it helps anyone.
create named pipe with permission (pipe with name fifo)
mkfifo -m 600 fifo
run command pointing that pipe
curl -s https://bucket.s3.amazonaws.com/private-key.pem > fifo | ssh-keygen -y -f fifo >> ~/.ssh/authorized_keys
all in one command
mkfifo -m 600 fifo && curl -s https://bucket.s3.amazonaws.com/private-key.pem > fifo | ssh-keygen -y -f fifo >> ~/.ssh/authorized_keys
I am trying to retrieve my PIV key using the following script:
getPIVkey.sh
NAME=`security find-certificate | grep PIV | sed 's;keychain:";;g' | sed 's;";;g'`
echo $NAME
ssh-keygen -i -m pkcs8 -f <(security find-certificate -p "$NAME" | openssl x509 -noout -pubkey)
on Mac OS High Sierra 10.13.4. I get:
./getPIVPub.sh
keychain: PIV-Bill K Brown (piv)
security: SecKeychainSearchCopyNext: The specified item could not be found in the keychain.
unable to load certificate
140735828857800:error:0906D06C:PEM routines:PEM_read_bio:no start line:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/pem/pem_lib.c:704:Expecting: TRUSTED CERTIFICATE
do_convert_from_pkcs8: /dev/fd/63 is not a recognised public key format
It looks like you are missing a space in your first sed command, between keychain: and the quote. So your command to set the NAME variable should be
NAME=`security find-certificate | grep PIV | sed 's;keychain: ";;g' | sed 's;";;g'`
With the improved sed command, the (printed) value of NAME should no longer start with keychain: but just contain the name.
As a consequence of the wrong value in NAME, the second security find-certificate command fails, hence the output The specified output could not be found in the keychain.. The commands executed after that then fail as well.
FYI, the reason for the reference to /dev/fd/63 is explained in the answer to the question Why does process substitution result in a file called /dev/fd/63 which is a pipe?
i have the permission to ssh into the server but i want to add another persons public key on to the server so that he can also ssh into the server how can i do that ... i tried using the following command
<entered another users public key> | ssh user#123.45.56.78 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
i get this error
w: No such file or directory
but this command does not work fine for me... how can i do it ?
You probably need echo:
echo "<entered another users public key>" \
| ssh user#123.45.56.78 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
I found the number of files in /dev/shm/split/1/ to be 42806 using:
/bin/ls -lU /dev/shm/split/1/ | wc -l
What I can't seem to find anywhere online is how to select a certain range, say from 21404-42806, and use scp to securely copy those files. Then, for management purposes, I would like to move the files I copied to another folder, say /dev/shm/split/2/.
How do I do that using CentOS?
I tried:
sudo chmod 400 ~/emails/name.pem ; ls -1 /dev/shm/split/1/ | sed -n '21443,42806p' | xargs -i scp -i ~/emails/name.pem {} root#ipaddress:/dev/shm/split/2/
This produced:
no such file or directory
errors on all of the files...
ls itself lists files relative to the directory you give. This means your ls prints the filenames in the directory, but later on, scp doesn't have the path to them. You can fix this two ways:
Give the path to scp:
ls -1 /dev/shm/split/1/ | sed -n '21443,42806p' | xargs -i \
scp -i ~/emails/name.pem /dev/shm/split/1/{} root#ipaddress:/dev/shm/split/2/
Change to that directory and it will work:
cd /dev/shm/split/1/; ls -1 | sed -n '21443,42806p' | xargs -i \
scp -i ~/emails/name.pem {} root#ipaddress:/dev/shm/split/2/
I need to automate ssh-keygen -t rsa with out a password i.e. enter at the prompt.
How can I do that from a shell script?
To generate a SSH keypair without being prompted for a passphrase you can do the following:
$ ssh-keygen -f id_rsa -t rsa -N ''
If you need to do this from PowerShell in windows use:
ssh-keygen -f $Name -t rsa -N '""'
note you also have to ensure the git bin directory is in your path:
$sshPath = "<path>\git\bin\"
$env:path += ";$sshPath"
Then to use it in PoshGit it's just:
Add-SshKey "<path>\.shh\KeyFilename"
$ ssh-keygen -f $HOME/.ssh/id_rsa -t rsa -N ''
Just a correction to answer 2...
I found out on my OL and RHEL system the file name should be id_rsa not id.rsa.
So on a OL or RHEL system the command would be:
$ ssh-keygen -f id_rsa -t rsa -N ''
What about :
ssh-keygen -q -t rsa -f ~/.ssh/id_rsa -N ''
As noted in man ssh-keygen :
SYNOPSIS
ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1] [-N new_passphrase] [-C comment] [-f output_keyfile]
(...)
-q Silence ssh-keygen.
(that is with openssh-client package in Debian 9.4 stretch : OpenSSH_6.7p1 Debian-5+deb8u4)
I needed to automate in a bash script the ssh-keygen command and the final answer which works well to me:
echo -e "\n" | ssh-keygen -N "" &> /dev/null
The echo command with the -e interprets "\n" as an Enter key, but do not work with the passphrase. Then using the option -N "" (empty passphrase) the password will be empty and will not ask for anything.
&> /dev/null will send the 'stdout' and 'stderr' to /dev/null so nothing is printed through the display.
$ printf '\n' | ssh-keygen -N ''
Please Enjoy this script...
Powershell script (e.g. for github)
paste this into your myscript.ps1 file...
param(
[Parameter(Mandatory)]
[string]$keyName=$(throw "keyName - Param must be supplied"),
[Parameter(Mandatory)]
[string]$email=$(throw "email - Param must be supplied"),
$u="git",
$d="github.com",
$c="rsa"
)
$repo="repoName"
$account=":accountName"
$currentDir = Get-Location
Write-Host $HOME/.ssh/$keyName`_$c
mkdir $HOME/.ssh
Set-Location $HOME/.ssh
ssh-keygen -f ./$keyName`_$c -t $c -C $email -N '""'
Add-Content -Path ./config -Value "
Host $keyName
User $u
Hostname $d
PreferredAuthentications publickey
IdentitiesOnly yes
IdentityFile $HOME/.ssh/$keyName`_$c"
Write-Host "`n
Put this key into $d :"
cat $HOME/.ssh/$keyName`_$c.pub
Write-Host "`n
Use this to Clone the $repo repo :
git clone $u#$keyName$account/$repo.git"
cat config
Set-Location $currentDir
above is untested but it is close to what I have working
Command to execute
> myscript.ps1 -keyName yourname -email yourname#yourdomain.com