I'm ssh into a remote host (linux, fedora) and I want to do ssh operation(git with bitbucket) there. There is ssh-agent running on that machine,
$ ps -e|grep sh-agent 2203 ? 00:00:00 ssh-agentbut when I want to git, it requires me to enter the passphrase
$ git pull
Enter passphrase for key '/user/wgong/home/.ssh/id_rsa': Note: if I operate on that machine locally, it won't ask me to enter the passphrase
19 Answers
In my opinion the best way of using ssh
Before using Git add your key to ssh-agent
Start ssh-agent if not started:
$ eval `ssh-agent -s`Add your private key using ssh-add
$ ssh-add ~/.ssh/id_rsa_key
Enter passphrase for /home/user/.ssh/id_rsa_key:
Identity added: /home/user/.ssh/id_rsa_key
(/home/user/.ssh/id_rsa_key) Check if the key is added (parameter is a lowercase L):
$ ssh-add -l
2048 55:96:1a:b1:31:f6:f0:6f:d8:a7:49:1a:e5:4c:94:6f
/home/user/.ssh/id_rsa_key (RSA)Try to connect to your Git server:
$ ssh git.example.comNow you can use Git without extra passphrase prompts.
Other ways
10If you already have ssh-agent running then you can add the key, and you'll have to enter the passphrase once, and once only for that session.
ssh-add ~/.ssh/id_rsaYou don't say what OS you're using, but if it happens to be Linux & Gnome then the "Passwords and Keys" application (CLI name: seahorse) can manage these so they are unlocked when you log in (no passphrase required). Other Linux desktop environments have their own managers. I'm not sure what other OS do here.
You can easily remove passphrase of your key by using the following command
ssh-keygen -pOn the first prompt, enter the file path (or press Enter to use the default)
Second prompt, enter the old passphrase
Next prompt, just press enter to unset the passphrase
Looks like this is the easiest way!
1The main reason for passphrase asking is that your key is encrypted, compare these two:
not encrypted
$ head ~/.ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- AIIAogIBAAKCAQEAtOJQ0Z3ZbyzuknnHqn5oMCmNf8zGmERhW+g5Eftf9daZ5qvZencrypted
$ head ~/.ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,A95215C9E9FE00B8D73C58BE005DAD82 ZAzLq/LbHSfOVkXtQz6M6U8yuAx2lIu9bH/k7ksgat92IDjZntRrT1XMpkYtjB+0
So you have to do one of the following:
- If it's encrypted you can try to remove the encryption.
- You're using wrong key. If you'd like to use different key, specify other file or edit your
~/.ssh/configand specify different identity file (IdentityFile). - Run
ssh-add -lto list all your identities (then compare with your local) and double check with Stash if you're using the right keys (they exists on Stash configuration). If you know passphrase and you want to automate it, try the following workaround:
PS="my_passphrase" install -vm700 <(echo "echo $PS") $PWD/my_pass DISPLAY= SSH_ASKPASS=$PWD/my_pass ssh-add - && rm -v my_pass
Troubleshooting:
- Double check your SSH agent is running (
eval "$(ssh-agent -s)"). - Re-run git via:
GIT_TRACE=1 git pullor withGIT_SSH_COMMAND="ssh -vv"(Git 2.3.0+) to debug your command again. You can try to bypass asking for the passphrase (which will redirect it into
true), but I don't think it'll help. If it asks for it, there is a reason for that and it's basically required.DISPLAY= SSH_ASKPASS=/bin/true ssh-add
The ssh-add program starts an agent which can hold (and provide) your passphrase. The way to use it remotely is in a parent of your interactive shell (so that the agent does not stop).
Here are a few related questions:
Now... connecting remotely, as a rule your command does not log in as such, so it does not start ssh-add. You could work around this, by executing a script which
- starts
ssh-agent - starts
ssh-add - adds your key
- runs the command that you want.
The weak point is the second step: you would still get prompted for the passphrase, unless you weaken your security by using a key that has no passphrase. Some people do this, most people advise against.
2You will still get password prompt to decrypt private key even if it is loaded into ssh-agent until the corresponding SSH public key is added into remote ~/.ssh/authorized_keys.
To reproduce:
# We are about to ssh to localhost, therefore, unauthorized everyone.
$ rm ~/.ssh/authorized_keys
$ eval $(ssh-agent)
# Agent pid 9290
$ ssh-add
# Enter passphrase for /home/uvsmtid/.ssh/id_rsa:
# Identity added: /home/uvsmtid/.ssh/id_rsa (/home/uvsmtid/.ssh/id_rsa)
$ ssh localhost
# Enter passphrase for key '/home/uvsmtid/.ssh/id_rsa':
# uvsmtid@localhost's password: # NOTE: See password prompt for private key # (and only then prompt for remote login). # Why? Isn't the private key is already loaded by `ssh-add`?
$ ssh-copy-id localhost
$ ssh localhost # NOTE: No password for private key anymore. # The key is served by `ssh-agent`.Confusing enough. Remote SSH login password would be enough in this case.
I can speculate that this prevents adding your public key (which is paired with encrypted private key) without knowing encryption password for corresponding private key. It is one-time-per-remote-login procedure anyway.
On Mac, add UseKeyChain to ~/.ssh/config
nano ~/.ssh/configand add the following
Host * UseKeychain yes The following steps work for me on mac.
$ ssh-keygen -p
# Start the SSH key creation process
> Enter file in which the key is (/Users/you/.ssh/id_rsa): [Hit enter]
> Key has comment '/Users/you/.ssh/id_rsa'
> Enter new passphrase (empty for no passphrase): [Type new passphrase]
> Enter same passphrase again: [One more time for luck]
> Your identification has been saved with the new passphrase.Details link is here
To run only one ssh-agent per session add this to your RC file (e.g. ~/.bashrc):
if [ -S ~/.ssh/socket ]; then eval $(ssh-agent) ln -sf "$SSH_AUTH_SOCK" ~/.ssh/socket
fi
export SSH_AUTH_SOCK=~/.ssh/socketTo get asked for a passphrase only once when SSH tries to use a key for the first time add this at the beginning of your ~/.ssh/config:
AddKeysToAgent yes