Ssh – Automated ssh-keygen without passphrase, how

scriptingssh

I would like to make an automated script that calls ssh-keygen and creates some pub/private keypairs that I will use later on. In principle everything works fine with….
ssh-keygen -b 2048 -t rsa -f /tmp/sshkey -q
…except that it asks me for the passphrase that would encrypt the keys. This make -at present- the automation difficult.

I could provide a passphrase via the command line argument -N thepassphrase, so to keep the prompt from appearing.
Still I do not even desire to have the keys –additionally secured by encryption– and want the keypairs to be plaintext.

What is a (the best) solution to this problem?

The -q option which supposedly means "quiet/silent" does still not avoid the passphrase interaction. Also I have not found something like this
ssh-keygen ... -q --no-passphrase

Please do not start preaching about or lecture me to the
pro and cons of the "missing passphrase", I am aware of that.
In the interactive form (not as a script) the user can simply hit [ENTER] twice and the key will be saved as plaintext. This is what I want to achieve in a script like this:

#!/bin/bash

command1
command2
var=$(command3)

# this should not stop the script and ask for password
ssh-keygen -b 2048 -t rsa -f /tmp/sshkey -q

Best Answer

This will prevent the passphrase prompt from appearing and set the key-pair to be stored in plaintext (which of course carries all the disadvantages and risks of that):

ssh-keygen -b 2048 -t rsa -f /tmp/sshkey -q -N ""

Using Windows 10 built in SSH

Powershell:

ssh-keygen -b 2048 -t rsa -f C:/temp/sshkey -q -N """"

CMD:

ssh-keygen -b 2048 -t rsa -f C:/temp/sshkey -q -N ""

Related Solutions

SSH into many systems with passphrase-less RSA keys

My question is, is this standard practice to temporarily set your private key file to not have a passphrase for the purposes of running a non interactive script [...]

No. The standard practice is to use a key agent to store your passphrase. When using a key agent, you can enter your passphrase once, when adding the key to the agent, and afterwards the agent will provide it to ssh connections you initiate.

There are many tutorials on this. Here's the basic usage in a nutshell:

# start ssh key agent and set environment variables
eval $(ssh-agent)

# add your private key
ssh-add

How it works, in a nutshell:

The ssh-agent command outputs some environment variables you need to set, so that programs (like ssh, scp, rsync and others) find the ssh-agent process. This output is ready to execute, to actually set the variables, and this is the purpose of the eval statement.
ssh-add finds the ssh-agent process thanks to the configured environment variables, and adds the private key at the default location in your ~/.ssh directory. At this point you will be asked to enter the passphrase.

After this, you will be able to ssh, scp, and others to any server where your key is authorized, without having to re-enter the passphrase.

Ssh – How to roll over ssh host keys

The Host Key rotation is supported since OpenSSH 6.8 (both client and server adds support in this version).

So the process should work like this:

Generate and add new keys with the option HostKey newkey (after the existing ones) to the /etc/ssh/sshd_config
Restart sshd
The clients have to set up UpdateHostKeys yes in their configuration (either globally, or per-host)
The connecting clients will pick up all the new keys
After some time (months?) you can remove the old keys from the sshd_config and restart sshd
The clients (that connected during the transition period) will already have the new keys (the old will not be removed, which is the only problem here) and they will not show the MitM attack warning.

The new enough-clients will be able to pick up the new keys. This feature is not enabled by default, probably because it is quite new and soon showed some security consideration. But these days, it should be fine to use it.

Best Answer

Related Solutions

SSH into many systems with passphrase-less RSA keys

Ssh – How to roll over ssh host keys

Related Question