How to provide a public passphrase in a python framework
Simple code I wrote:
env.host_string = '15.21.18.24'
with settings(user=user, key_filename='/home/amby/.ssh/id_rsa.pub'):
put(local_path, remote_path)
Now I have a pass_phrase for the public key. How do I encode this missing phrase? I want this to be automated.
It is currently asking for a missing phrase.
amby@amby-laptop:~/Desktop$ python fabric_test.py
[15.21.18.24] Passphrase for private key:
source to share
A quick note on terminology. The passphrase is for private , as the hint indicates. With ssh key pairs, the key is in two parts - the private key must be protected and the secret and never leave the ssh init session. The public key is secure to exchange and transferable.
When you are trying to automate ssh transactions and you need to provide a passphrase and you plan to store the passphrase somewhere in your script or config, then the passphrase is no longer a secret and you may not have a passphrase either.
A few things you can try
1) Don't bother with the passphrase! They are optional. Create a key without passphrase to use your scripts. Obviously, this is less secure than a key pair with one, and you must take additional steps to block it. You can restrict the commands allowed for this ssh key by providing additional parameters in the authorized_keys file on the remote host. This way, you can have a less secure key, but limit the damage that anyone who was able to access the private key can do.
You can create a new pair with ssh-keygen
. Give it a new filename, just hit enter when prompted for a passphrase, which will provide you with a new private / public key pair to use with your script, which doesn't require a passphrase.
The file authorized_keys
must exist in the directory of the ~./ssh
remote user account on the remote host. A typical key entry will look like this (I have truncated the key footprint for clarity). If you don't already have one, you can create a new one. For this file, you need to add the text of the public key file from the new key pair. This is the one that has the extension .pub
. The public key text is in this format.
ssh-rsa AAAAB3NzaC1yc ... user@mycomputer.local
It consists of several fields on one line, separated by spaces. The first field is the key type. A long string of letters and numbers encodes the public key of the key. The final field is a comment to help people identify the key, usually it has the username and hostname on which the key was generated. You can optionally add an options field to the beginning of the key record. This contains a set of parameter values, separated by commas, applicable to sessions started using this key pair. You can add a parameter command
in the parameters field to authorized keys to define specific commands that are allowed to run the key. This can be used to restrict what is allowed to be done with a key pair without phrases.
command = "/ usr / bin / ls" ssh-rsa AAAAB3NzaC1yc ... user@mycomputer.local
This keypair can only run 'ls' remotely.
2) Use ssh-agent . If you have an authenticated agent in the shell environment, when you execute your script, it will provide the ssh key credentials without having to provide the passphrase every time.
Typical use:
You run
eval `ssh-agent`
in a shell to start the daemon agent. The eval statement causes the agent session environment variables to be set in the shell environment.
You can now run
ssh-add ~/.ssh/my-passphraseless-private-key.rsa
to upload the private key to the agent. The agent will ask you for a passphrase to unlock the key. Then it will cache the credentials for the shell lifetime. This way, you can run your scripts that use this key without having to ask for a passphrase.
source to share