# ssh passphrases - don't want the prompt [solved]

## jthompson

I am trying to do an unattended backup with rdiff-backup from one machine to the other on the same subnet in the same place.

I have successfuly done it manually, but it asks me for the ssh passphrase key everytime.

I followed the Gentoo Keychain Guide, but I get stumped at the part where it tells you that you can magically make the password phrase prompt go away.

If I do a an ssh <server name>, it still asks me for the passphrase key.

Should I post the ouput of ssh-agent?

Here is the sshd_config on the server:

```
#       $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $

# This is the sshd server system-wide configuration file.  See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options change a

# default value.

#Port 22

Protocol 2

#ListenAddress 0.0.0.0

#ListenAddress ::

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h

#ServerKeyBits 768

# Logging

#obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

#LogLevel INFO

# Authentication:

#LoginGraceTime 2m

#PermitRootLogin yes

#StrictModes yes

#MaxAuthTries 6

#RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile      .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!

PasswordAuthentication no

#PermitEmptyPasswords no

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no

# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,

# and session processing. If this is enabled, PAM authentication will

# be allowed through the ChallengeResponseAuthentication mechanism.

# Depending on your PAM configuration, this may bypass the setting of

# PasswordAuthentication, PermitEmptyPasswords, and

# "PermitRootLogin without-password". If you just want the PAM account and

# session checks to run without PAM authentication, then enable this but set

# ChallengeResponseAuthentication=no

UsePAM yes

#AllowTcpForwarding yes

#GatewayPorts no

#X11Forwarding no

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#TCPKeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression yes

#ClientAliveInterval 0

#ClientAliveCountMax 3

#UseDNS yes

#PidFile /var/run/sshd.pid

#MaxStartups 10

# no default banner path

#Banner /some/path

# override default of no subsystems

Subsystem       sftp    /usr/lib/misc/sftp-server
```

Am I missing something that I have to do on the client? or maybe in sshd_config on the server?

----------

## YopWongSapn

```
man ssh
```

Take a look at the -i flag...this allows you to specify an identity file.  With this flag set you can eliminate the password prompt.

----------

## ekutay

you can also set it in the ssh config file if you prefer *Quote:*   

> HOST yourhostnick
> 
> HOSTNAME host.domain
> 
> User youruser
> ...

 

edit: and your agent must be available in the environment, otherwise your script or cron will not find it. you could use a key without a passphrase too.

----------

## jthompson

Ok I tried:

```

ssh -i /home/username/.ssh/id_dsa server
```

And I got

```

Enter passphrase for key /home/username/.ssh/id_dsa
```

There is an option under man ssh_config

Password Authentication Yes or No

But isn't that bad if I set that to No?

----------

## jthompson

Ok I tried using the config file also and it still asks me for a passphrase key.

If I run ssh-agent, I don't get any error messages.

But if I do:

```
ssh-add /home/user/.ssh/id_dsa
```

I get:

```
Could not open connection to your authentication agent.
```

I must be missing some small step or config option somewhere.  Any ideas?

----------

## adaptr

You must be actually running ssh-agent for this to work, obviously.

----------

## jthompson

I hate to be such a newb, but how do I start up ssh-agent. 

When I type ssh-agent, I get some output, but it apparently doesn't start up.

I can type ssh-agent while logged in as the user that I'm trying to get this to work on.

I get output and it says that it sets environment variables.

However, if I do ssh-add or ssh-agent -k it claims that the agent is not running.

----------

## jthompson

Ok the output of ssh-agent is:

```
SSH_AUTH_SOCK=/tmp/ssh-bmsXKD8937/agent.8937; export SSH_AUTH_SOCK;

SSH_AGENT_PID=8938; export SSH_AGENT_PID;

echo Agent pid 8938;
```

After this if I try to stop it or kill it then I get:

```
ssh-agent -k

SSH_AGENT_PID not set, cannot kill agent
```

So the variable isn't getting set, why?

----------

## rex123

If your key is passphrase-protected, you are going to need to put a passphrase in somewhere along the line. The value of using key pairs is that you only need to enter your passphrase once, after which all your ssh commands will use the in-memory decrypted private key.

If you want to use a key in a cron job, I think you could look into making one-off private keys with specific purposes. In the .ssh/authorized_keys2 file on the server, you can specify options that restrict certain keys to certain hosts, certain commands, etc. This should be a reasonable alternative to having a passphrase.

----------

## ekutay

You can start the ssh-agent and pipe the output in a file 

```
ssh-agent > $HOME/.myagent
```

 then source the file 

```
source $HOME/.myagent
```

 Now you should be able to connect to the ssh-agent in the current shell. ssh-add should give you a password prompt now (and as long as the agent this will be set and used by every ssh-connection  :Smile:  ) .

If you put this source statement in a file automatically get sourced by login as .bashrc, .login or here in script whch does your unattended rdiff, add 

```
source $HOME/.myagent 1>/dev/null
```

 to get rid of unnecessary output.

Hope this helps

----------

## davidblewett

Try these 2 programs out:

```
#emerge keychain

#emerge pam_ssh
```

The first automates the use of ssh_agent. I like the 2nd program even better. You can set it so that you login via PAM by using the passphrase to your private key. If it's correct, it will load the ssh_agent or use an existing one if you've already logged in. Good stuff!

----------

## jthompson

Thanks the keychain utitlity worked.  Its a little misleading in the how-to because it leads you to believe that you should be able to login without a password prompt without it.  Maybe I just wasn't manually using ssh-agent properly.  Thanks.

Now, for the next part, to automate the guy.  This post looks interesting on how to do that.

https://forums.gentoo.org/viewtopic-t-319465-highlight-rdiffbackup.html

----------

## mlybarger

i just went through the keychain guide with using two machines, configuring each being a client and a server ( i want to ssh freely between the two).  from machineA to machineB, i'm prompted for a password (os/shell password), and from machineB to machineA, i'm now prompted for a passphrase (the one i gave when running the ssh-keygen per the guide). on both systems i have changed /etc/ssh/sshd_config to:

```

PubkeyAuthentication yes

AuthorizedKeysFile      .ssh/authorized_keys

```

and i restarted the sshd servers. no help.  do i need to reboot my machines for this to take effect?

----------

## jthompson

I followed the how-to:

http://www.gentoo.org/doc/en/keychain-guide.xml

There are a couple of things that are misleading though.  One is the fact that the first part seems to replace your pam password with a passphrase.  In order to get rid of it prompting you for a passphrase, you have to emerge keychain, which is the next part of the how-to.  It is also user account specific.  

I also remember having to run a couple of the commands on the client and the remote.  

So on the client you should:

```
ssh-keygen -t dsa
```

Then, also on the client under the same user account...

```
$ scp ~/.ssh/id_dsa.pub server_user@server:~/myhost.pub

$ ssh server_user@server "cat ~/myhost.pub >> ~/.ssh/authorized_keys"

$ ssh server_user@server "cat ~/.ssh/authorized_keys"
```

This copies everything over to the server.

Then:

```
 ssh server_user@server
```

Its still going to ask you for a passphrase.

At this point, it claims if you run ssh-agent, it should automagically eliminate the prompting for the passphrase.  However, I found that it did not, and I had to:

```
emerge keychain
```

You will have to su to root to do so.

Then on the client put the following lines in your username's .bash_profile (/home/username/.bash_profile)

keychain ~/.ssh/id_dsa

. ~/.keychain/$HOSTNAME-sh

Then hopefully it will work, however, for some odd reason I never did get rdiff-backup to work with this utility, I had to use a different approach.

https://forums.gentoo.org/viewtopic-t-336398-highlight-rdiff.html

----------

## dnamroud

after starting the ssh-agent i am still asking to enter the passphrase:

what i did is:

$ ssh-keygen -t dsa

$ scp ~/.ssh/id_dsa.pub user@server:~/myhost.pub

$ ssh user@server "cat ~/myhost.pub >> ~/.ssh/authorized_keys"

$ ssh user@server "cat ~/.ssh/authorized_keys"

$ emerge keychain

added this to my /home/user/.bash_profile

keychain ~/.ssh/id_dsa

. ~/.keychain/$HOSTNAME-sh

$ ssh-agent

$ ssh user@server

keep asking me about my passphrase

Am i missing something?

Thank you 

Dany

----------

## jthompson

Do you have a user on the server and the client with the same name and password?

----------

## dnamroud

user/password on the server and the client are differents.

----------

## jthompson

So I'm assuming you got it going?  I was taking a guess, hope it helped.

----------

## dnamroud

Do i need to have the same username/password on server and client?

Can you explain more what do you mean.

thank you

----------

## jthompson

Yes, when I did it, I had the same username and password on the client and the server.

Both of the /home directories need to be created also on both machines.

For a new user:

```
useradd -m -G users username -s /bin/bash

passwd username

```

The -m option will create that /home directory if it doesn't exist.

So when you do

```
ssh servername
```

or

```
ssh IPaddress
```

you should be logged in as the user on the client that you want to use on the server.  So you may have the user backup on both machines.  Just log in as backup on the client and then connect to that same user backup on the server.  There may be other ways, but thats how I got it to work.

Also make sure both machines are in each others /etc/hosts file as well.

----------

## ekutay

sorry, but I think both of you miss the feature off ssh-agent to add the password to the agent when passing the key, at least I haven't seen it in the last statements. you do not have to have the same user and password on both machines.

```
ssh-add .ssh/my_keyfile
```

will ask for password and that's it, if your agent is found. To have you agent started one may also use eval to set the proper environment.

```
eval $(ssh-agent -s) > /dev/null 2>&1
```

To run this stuff in a script for rsynching I usually prefer the option to generate a special rsync key with no password at all, you can add the key to the running agent as described without being prompted for password thus. In case you do so, kill the agent afterwards with 

```
ssh-agent -k
```

 *Quote:*   

> eval $(ssh-agent -s) > /dev/null 2>&1
> 
> ssh-add /var/backup/rsync_id
> 
> ./mybackupScript.sh
> ...

 could be a solution for your problem. same works with keychain too, but different syntax.

----------

## dnamroud

I forget to mention that I already  used the ssh-agent before as described into the gentoo website : http://www.gentoo.org/doc/en/keychain-guide.xml

however this is what I am always getting

$ ssh-agent

SSH_AUTH_SOCK=/tmp/ssh-NNVPF22051/agent.22051; export SSH_AUTH_SOCK;

SSH_AGENT_PID=22052; export SSH_AGENT_PID;

echo Agent pid 22052;

$ ssh-add /home/user/.ssh/id_dsa

Could not open a connection to your authentication agent.

----------

## ekutay

I think it's now the third time in this thread:

Either do 

```
eval $(ssh-agent -s) > /dev/null 2>&1 
```

or follow my other advise and use a file

```
ssh-agent > $HOME/.myagent

source $HOME/.myagent
```

to source the needed variables after redirecting the output to a file. Either way makes the ssh-agent known to the currently running shell.

And ... I will not write it again. Beneath the fact that there are also man pages, which should solve most problems, I have posted precisely what you would have to do make this running in a previous post:

 *ekutay wrote:*   

>  *Quote:*   
> 
> eval $(ssh-agent -s) > /dev/null 2>&1
> 
> ssh-add /var/backup/rsync_id
> ...

 

Again: If you simply call ssh-agent, your shell does not know magically about your ssh-agent, its PID, its socket and so on and so forth.

----------

## dnamroud

thanks for your help,

After repeating all steps from zero, now it is working

maybe i was lost with some directions and steps...

Thanx guys for you help

Dany

----------

## dnamroud

I have another question

after re-login, and trying to connect to the server, i have been asked to write my passphrase (just for the first time.)

after doing an ssh-add I can relogin again without this prompt.

what do i need to do ?

thx

----------

## ekutay

You have maybe the ssh agent running, but again the current shell, the shell you have created by relogin, does not know about this agent. Follow the file based solution and source the file in your $HOME/.profile or $HOME/.bashrc.

----------

