Ubuntu – How to save an SSH key passphrase for an unattended process


I've created passphrase protected RSA key. The public key is installed on remote server in authorized_keys in the user's .ssh directory.

From requesting server, I can SSH into the remote server without a problem, but I need to enter passphrase every time I do this.

I want to use this key for a Munin server to SSH into a Munin node and get data, so the procedure fails because of the passphrase.

I have thought of two options:

  1. Remove the passphrase from the key.
  2. Save the passphrase somewhere, maybe in a configuration file?

Is there a better solution?

I think ssh-agent is supposed to do something like this, but I cannot find concise information about it.

Best Answer

  • You can use ssh-agent to do this. It allows you to store a passphrase in memory, rather than on disk. There is a good explanation of doing this for batch jobs here: http://www.akadia.com/services/ssh_agent.html.

    Essentially, you:

    1. Run ssh-agent in the background as the user that will be initiating the SSH connection.
    2. Use the ssh-add command to add the key to the agent. It will prompt for the passphrase.

    You can automate the running of ssh-agent by adding it to a script run at startup, but you still need to manually prime the agent with the key in order to enter the passphrase. So if you reboot, for example, you'll have to remember to do this.

    The point to consider is what you are trying to achieve by having a passphrase on the key being used, given that this is an automated system.

    1. If you use a key with a passphrase and store it in a configuration file then anyone who gains access to the key is likely to have access to the configuration file too, since they would both need to be accessible by the same user.
    2. If you use ssh-agent to store the passphrase then it still needs to run on the same machine as the key. It would be harder to get the passphrase out of memory than from a file, but you've just made their work harder rather than impossible impossible. However, if they gain the key without getting access to the machine (eg, from a backup), then this option is more secure.
    3. If you do not set a passphrase at all, someone who gets the key has no further work to do to be able to use it.

    In all three of these scenarios, you would be wise to plan for the worse and take steps to minimise the damage that could be done by someone who gains access to a usable key. For example, you could:

    • Use a specific user account that only has access to the data being retrieved.
    • Use a key that is only used for this purpose.
    • Restrict what host the key owner can SSH from.
    • Restrict what commands can be run using the key - see this.

    On balance, only you can weigh up the pros and cons of these approaches, and whether a manual process is acceptable in your situation.