Automated ssh-keygen without passphrase, how?

  • I would like to make an automated script that calls ssh-keygen and creates some pub/private keypairs that I will use later on. In principle everything works fine with....
    ssh-keygen -b 2048 -t rsa -f /tmp/sshkey -q
    ...except that it asks me for the passphrase that would encrypt the keys. This make -at present- the automatisation difficult.

    I could provide a passphrase via the command line argument -N thepassphrase, so to keep the prompt from appearing. Still I do not even desire to have the keys -additionally secured by encryption- and want the keypairs to be plaintext.

    What is a (the best) solution to this problem?

    The -q option which supposedly means "quiet/silent" does still not avoid the passphrase interaction. Also I have not found something like this
    ssh-keygen ...... -q --no-passphrase

    Please do not start preaching about or lecture me to the pro and cons of the "missing passphrase", I am aware of that. In the interactive form (not as a script) the user can simply hit [ENTER] twice and the key will be saved as plaintext. This is what I want to achieve in a script like this:

    # this should not stop the script and ask for password
    ssh-kegen -b 2048 -t rsa -f /tmp/sshkey -q
  • This will prevent the passphrase prompt from appearing and set the key-pair to be stored in plaintext (which of course carries all the disadvantages and risks of that):

    ssh-keygen -b 2048 -t rsa -f /tmp/sshkey -q -N ""

    This works. In case `/tmp/sshkey` already exists one gets an overwrite prompt, though. This can be prevented via redirecting/closing stdin - e.g. via adding `0>&-`.

    So bad practice to generate a clear pair of keys in /tmp ;)

  • The simplest way I found to do what you want is this (example using default filename)

        cat /dev/zero | ssh-keygen -q -N ""

    If the ~/.ssh/id_rsa file already exists, the command will exit without modifying anything.

    If not, you get a brand new key, in that filename.

    Either way, you haven't overwritten anything, and you know at the end you have a key.

    confirmed: on lubuntu 14.04.2

    If you really want it quiet, pipe the output to /dev/null: `cat /dev/zero | ssh-keygen -q -N "" > /dev/null`

    On (admittedly antique) SLES 11 the above command fail to produce a key. `yes "" | ssh-keygen -N "" >&- 2>&-` works just fine however and does not output anything (whether or not a keyfile already exists), and does not overwrite a previously existing keyfile.

    Verified on Ubuntu trusty (14.04)

    Why do you cat /dev/zero?

  • This worked for me:

    ssh-keygen -t rsa -f /home/oracle/.ssh/id_rsa -q -P ""

    The -P is the passphrase option, and "" is the empty passphrase.

    key_save_private: No such file or directory

    The `-P ` option is to provide the (old) passphrase.

    works, but if the key already exist it ask for overwrite

  • You can use expect to send the "enter" for you

    set -x
    XYZ=$(expect -c "
    spawn ssh-keygen -b 2048 -t rsa -f /tmp/sshkey -q
    expect \"Enter passphrase (empty for no passphrase):\"
    send \"\r\"
    expect \"Enter same passphrase again:\"
    send \"\r\"

    But be aware, that if the file /tmp/sshkey already exists it will fail because the output of the command will be different.

    thank you for the contribution. the expect seems even a more versatile for problems in the same kind.... well those where scripting and user-interaction would conflict. I will be aware of the potential conflicht that /tmp/sshkey already exists and check for it prior to using your command.

  • I did a simple echo before ssh-keygen. So su - <user> -c "echo |ssh-keygen -t rsa"

    This was tested on Redhat 6

    I don't think this is the best answer around, but I think there isn't any reason to downvote either, guys.

  • For another user, tested on Ubuntu 18.04:

    sudo -u username bash -c "ssh-keygen -f /tmp/sshkey -N ''"

License under CC-BY-SA with attribution

Content dated before 6/26/2020 9:53 AM