I'm SSH into a remote host (Linux, Fedora) and I want to do ssh operation (git with bitbucket) there. There is ssh-agent running on that machine:
$ ps -e|grep sh-agent
2203 ? 00:00:00 ssh-agent
But when I want to git, it requires me to enter the passphrase:
$ git pull
Enter passphrase for key '/user/wgong/home/.ssh/id_rsa':
Note: If I operate on that machine locally, it won't ask me to enter the passphrase
Before using Git add your key to ssh-agent
Start ssh-agent if not started:
$ eval `ssh-agent -s`
Add your private key using ssh-add
$ ssh-add ~/.ssh/id_rsa_key
Enter passphrase for /home/user/.ssh/id_rsa_key:
Identity added: /home/user/.ssh/id_rsa_key
(/home/user/.ssh/id_rsa_key)
Check if the key is added (parameter is a lowercase L):
$ ssh-add -l
2048 55:96:1a:b1:31:f6:f0:6f:d8:a7:49:1a:e5:4c:94:6f
/home/user/.ssh/id_rsa_key (RSA)
Try to connect to your Git server:
$ ssh git.example.com
Now you can use Git without extra passphrase prompts.
If you already have ssh-agent running then you can add the key, and you'll have to enter the passphrase once, and once only for that session.
ssh-add ~/.ssh/id_rsa
You don't say what OS you're using, but if it happens to be Linux & Gnome then the "Passwords and Keys" application (CLI name: seahorse) can manage these so they are unlocked when you log in (no passphrase required). Other Linux desktop environments have their own managers. I'm not sure what other OS do here.
You can easily remove passphrase of your key by using the following command
ssh-keygen -p
On the first prompt, enter the file path (or press Enter to use the default)
Second prompt, enter the old passphrase
Next prompt, just press enter to unset the passphrase
Looks like this is the easiest way!
On Mac, add UseKeyChain to ~/.ssh/config
nano ~/.ssh/config
and add the following
Host *
UseKeychain yes
To get asked for a passphrase only once when SSH tries to use a key for the first time add this at the beginning of your ~/.ssh/config:
AddKeysToAgent yes
If you're still being asked more than once then check if you're not running multiple agents at once. To run only one ssh-agent per session add something like this to your RC file (e.g. ~/.bashrc):
if [ -S ~/.ssh/socket ]; then
eval $(ssh-agent)
ln -sf "$SSH_AUTH_SOCK" ~/.ssh/socket
fi
export SSH_AUTH_SOCK=~/.ssh/socket
The main reason for passphrase asking is that your key is encrypted, compare these two:
not encrypted
$ head ~/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
AIIAogIBAAKCAQEAtOJQ0Z3ZbyzuknnHqn5oMCmNf8zGmERhW+g5Eftf9daZ5qvZ
encrypted
$ head ~/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,A95215C9E9FE00B8D73C58BE005DAD82
ZAzLq/LbHSfOVkXtQz6M6U8yuAx2lIu9bH/k7ksgat92IDjZntRrT1XMpkYtjB+0
So you have to do one of the following:
~/.ssh/config and specify different identity file (IdentityFile).ssh-add -l to list all your identities (then compare with your local) and double check with Stash if you're using the right keys (they exists on Stash configuration).If you know passphrase and you want to automate it, try the following workaround:
PS="my_passphrase"
install -vm700 <(echo "echo $PS") $PWD/my_pass
DISPLAY= SSH_ASKPASS=$PWD/my_pass ssh-add - && rm -v my_pass
Troubleshooting:
eval "$(ssh-agent -s)").GIT_TRACE=1 git pull or with GIT_SSH_COMMAND="ssh -vv" (Git 2.3.0+) to debug your command again.You can try to bypass asking for the passphrase (which will redirect it into true), but I don't think it'll help. If it asks for it, there is a reason for that and it's basically required.
DISPLAY= SSH_ASKPASS=/bin/true ssh-add
You will still get password prompt to decrypt private key even if it is loaded into ssh-agent until the corresponding SSH public key is added into remote ~/.ssh/authorized_keys.
To reproduce:
# We are about to ssh to localhost, therefore, unauthorized everyone.
rm ~/.ssh/authorized_keys
eval $(ssh-agent)
Agent pid 9290
ssh-add
Enter passphrase for /home/uvsmtid/.ssh/id_rsa:
Identity added: /home/uvsmtid/.ssh/id_rsa (/home/uvsmtid/.ssh/id_rsa)
1st attempt: password is prompted
ssh localhost
Enter passphrase for key '/home/uvsmtid/.ssh/id_rsa':
uvsmtid@localhost's password:
NOTE: See password prompt for private key
(and only then prompt for remote login).
Why? Isn't the private key is already loaded by ssh-add?
Copy public key to remote host:
ssh-copy-id localhost
2nd attempt: password is NOT prompted
ssh localhost
NOTE: No password for private key anymore.
The key is served by ssh-agent.
Confusing enough.
Remote SSH login password would be enough in this case.
I can speculate that this prevents adding your public key (which is paired with encrypted private key) without knowing encryption password for corresponding private key (without owner of the keys) for better security, but... it is still just a public key.
Anyway, it is one-time-per-remote-login procedure.
The ssh-add program starts an agent which can hold (and provide) your passphrase. The way to use it remotely is in a parent of your interactive shell (so that the agent does not stop).
Here are a few related questions:
Now... connecting remotely, as a rule your command does not log in as such, so it does not start ssh-add. You could work around this, by executing a script which
ssh-agentssh-addThe weak point is the second step: you would still get prompted for the passphrase, unless you weaken your security by using a key that has no passphrase. Some people do this, most people advise against.
The following steps work for me on mac.
$ ssh-keygen -p
# Start the SSH key creation process
> Enter file in which the key is (/Users/you/.ssh/id_rsa): [Hit enter]
> Key has comment '/Users/you/.ssh/id_rsa'
> Enter new passphrase (empty for no passphrase): [Type new passphrase]
> Enter same passphrase again: [One more time for luck]
> Your identification has been saved with the new passphrase.
Details link is here
