scp inside sh-script with passphrase

You can't provide passphrase to scp with argument.

However you can use authentication by key: ssh-keygen will generate rsa keys pair for authentication ssh-copy-id will copy your public key to another host.

if you can't or don't want to use authentication by keys then you can write expect script and provide passphrase from this script. It's not most secure way of implementing this!


First, let's sort out some factoids that are easy to confuse:

  • SSH (and hence scp) supports various methods of authentication. The two most popular by far are "password" and "publickey"
  • If one uses "publickey", then the client side has to have a private and a public key file [1]. The private one may or may not be encrypted with a passphrase
  • When the "publickey" method is used, the ssh-agent can hold private keys in memory. This can be handy when a private key file is encrypted and one doesn't want to type in its passphrase time and again. But the ssh-agent is of NO help where the password-based authentication method is used.

In the context of SSH, when people use the term ...

  • ... "password", they usually mean the password-based authentication method
  • ... "passphrase", they usually mean the passphrase a private key file is encrypted with

... but of course that is only a convention and a great source of confusion.

That said, I try to answer your question:

In case you mean password-based SSH authentication:

  • Use a client software that allows to provide the SSH password in batch mode (e.g. as command line option, as STDIN, or as a environment variable). OpenSSH does NOT support this!
  • Or wrap an 'expect' script around ssh/scp, as discussed in [2].
  • Or switch from password-based to publickey authentication.

In case you mean publickey authentication with a passphrase-encrypted private key file:

  • Remove the passphrase protection from the private key file, see e.g. [3].
  • Or preload the key manually into a ssh-agent, and make sure that (a) the ssh-agent is still alive when the script runs, and (b) that the script can find the agent's unix socket ($SSH_AUTH_SOCK)
  • [1] In the case of OpenSSH e.g. ~/.ssh/id_dsa and ~/.ssh/id_dsa.pub. The content of the latter should get appended to the server-side's ~/.ssh/authorized_keys
  • [2] https://stackoverflow.com/questions/19101879/bash-expect-script-for-ssh
  • [3] https://stackoverflow.com/questions/112396/how-do-i-remove-the-passphrase-for-the-ssh-key-without-having-to-create-a-new-ke

Tags:

Scp

Passphrase

Related

HAProxy error: Some configuration options require full privileges, so global.uid cannot be changed MySQL remote connection - Access denied for user 'username'@'localhost' (using password: YES) ssh host key certificates, find validity period remotely? How to get dig +short to return something when there is no answer? Advanced Audit Policy not getting applied on 2012 R2 proFTPD unable to determine IP address Windows Server Backup Fails: There is not enough disk space to create the volume shadow copy... How to use terraform.io to change the image of a stateful server without downtime or data loss? Automatic way to increase zone file serial number by one in BIND9 Invalid command 'AuthType', perhaps misspelled or defined by a module not included in the server configuration location of 70-persistent-net.rules in Centos 7 Logstash parsing xml document containing multiple log entries

Recent Posts