Automated ssh-keygen without passphrase, how?
I would like to make an automated script that calls
ssh-keygenand creates some pub/private keypairs that I will use later on. In principle everything works fine with....
ssh-keygen -b 2048 -t rsa -f /tmp/sshkey -q
...except that it asks me for the passphrase that would encrypt the keys. This make -at present- the automatisation difficult.
I could provide a passphrase via the command line argument
-N thepassphrase, so to keep the prompt from appearing. Still I do not even desire to have the keys -additionally secured by encryption- and want the keypairs to be plaintext.
What is a (the best) solution to this problem?
-qoption which supposedly means "quiet/silent" does still not avoid the passphrase interaction. Also I have not found something like this
ssh-keygen ...... -q --no-passphrase
Please do not start preaching about or lecture me to the pro and cons of the "missing passphrase", I am aware of that. In the interactive form (not as a script) the user can simply hit [ENTER] twice and the key will be saved as plaintext. This is what I want to achieve in a script like this:
#!/bin/bash command1 command2 var=$(command3) # this should not stop the script and ask for password ssh-kegen -b 2048 -t rsa -f /tmp/sshkey -q
This will prevent the passphrase prompt from appearing and set the key-pair to be stored in plaintext (which of course carries all the disadvantages and risks of that):
ssh-keygen -b 2048 -t rsa -f /tmp/sshkey -q -N ""
This works. In case `/tmp/sshkey` already exists one gets an overwrite prompt, though. This can be prevented via redirecting/closing stdin - e.g. via adding `0>&-`.
The simplest way I found to do what you want is this (example using default filename)
cat /dev/zero | ssh-keygen -q -N ""
~/.ssh/id_rsafile already exists, the command will exit without modifying anything.
If not, you get a brand new key, in that filename.
Either way, you haven't overwritten anything, and you know at the end you have a key.
If you really want it quiet, pipe the output to /dev/null: `cat /dev/zero | ssh-keygen -q -N "" > /dev/null`
On (admittedly antique) SLES 11 the above command fail to produce a key. `yes "" | ssh-keygen -N "" >&- 2>&-` works just fine however and does not output anything (whether or not a keyfile already exists), and does not overwrite a previously existing keyfile.
This worked for me:
ssh-keygen -t rsa -f /home/oracle/.ssh/id_rsa -q -P ""
-Pis the passphrase option, and
""is the empty passphrase.
The `-P ` option is to provide the (old) passphrase. https://linux.die.net/man/1/ssh-keygen
You can use expect to send the "enter" for you
cat test.sh #!/bin/bash set -x XYZ=$(expect -c " spawn ssh-keygen -b 2048 -t rsa -f /tmp/sshkey -q expect \"Enter passphrase (empty for no passphrase):\" send \"\r\" expect \"Enter same passphrase again:\" send \"\r\" ")
But be aware, that if the file /tmp/sshkey already exists it will fail because the output of the command will be different.
thank you for the contribution. the expect seems even a more versatile for problems in the same kind.... well those where scripting and user-interaction would conflict. I will be aware of the potential conflicht that /tmp/sshkey already exists and check for it prior to using your command.