SSH into many systems with passphrase-less RSA keys

Securityssh

Suppose I need to SSH into many systems and run a simple command on each. The problem is that I do not want to have to enter my password 50 times in a row to accomplish this. So I figure I will use RSA keys without a passphrase temporarily. My question is, is this standard practice to temporarily set your private key file to not have a passphrase for the purposes of running a non interactive script, at which point you would then set a very secure passphrase by way of ssh-keygen -p command? Is there another way to accomplish this?

Best Answer

My question is, is this standard practice to temporarily set your private key file to not have a passphrase for the purposes of running a non interactive script [...]

No. The standard practice is to use a key agent to store your passphrase. When using a key agent, you can enter your passphrase once, when adding the key to the agent, and afterwards the agent will provide it to ssh connections you initiate.

There are many tutorials on this. Here's the basic usage in a nutshell:

# start ssh key agent and set environment variables
eval $(ssh-agent)

# add your private key
ssh-add

How it works, in a nutshell:

  • The ssh-agent command outputs some environment variables you need to set, so that programs (like ssh, scp, rsync and others) find the ssh-agent process. This output is ready to execute, to actually set the variables, and this is the purpose of the eval statement.

  • ssh-add finds the ssh-agent process thanks to the configured environment variables, and adds the private key at the default location in your ~/.ssh directory. At this point you will be asked to enter the passphrase.

After this, you will be able to ssh, scp, and others to any server where your key is authorized, without having to re-enter the passphrase.

Related Question