How to provide public key pass phrase in python fabric

Question

The simple code I have written is :

env.host_string = '15.21.18.24'
with settings(user=user, key_filename='/home/amby/.ssh/id_rsa.pub'):
    put(local_path, remote_path)

Now I have pass_phrase for the public key. How do I code that pass phrase? Iwant it to be automated.

Right now it is asking for pass phrase.

amby@amby-laptop:~/Desktop$ python fabric_test.py
[15.21.18.24] Passphrase for private key:

Answer 1

A quick note on terminology. The passphrase is for the private key, as the prompt indicates. With ssh key pairs, the key is in two parts - the private key needs to be kept secure, and secret and never leaves the ssh initiating session. The public key is safe to share, and can be transmitted freely.

When you are trying to automate ssh transactions, and you have to supply a passphrase, and you are considering storing the passphrase somewhere in the script or configuration, then the passphrase is no longer a secret, and you might as well have no passphrase.

---

A couple of things you can try

1) Don't bother with a passphrase! They are optional. Generate a key without a passphrase, for use by your scripts. Obviously this is less secure than a keypair that has one, and you should take additional steps to lock this down. You can restrict the commands that this ssh key is authorized to run by providing additional parameters in the authorized_keys file on the remote host. In this way, you can have a less secure key but limit the damage that anyone who managed to get access to the private key could do

You can generate a new keypair with ssh-keygen. Give it a new filename, just hit enter when prompted for a passphrase, which will get you a new private/public keypair to use with your script, that will not require a passphrase entry.

The authorized_keys file needs to exist in the ~./sshdirectory of the remote user account on the remote host. A typical key entry will look like this (I've truncated the key fingerprint for clarity). If you don't have one there already, you can make a new one. To this file you need to add the text of the public key file from your new keypair. This is the one with a .pub extension. The public key text has this format.

ssh-rsa AAAAB3NzaC1yc... [email protected]

It consists of several fields all on one line, separated by spaces. The first field is the key type. The long string of letters and numbers encodes the public key of the keypair. The final field is a comment to help identify the key to humans, typically it has the user and host name that the key was generated on. You can optionally add an options field to the front of a key entry. This contains a comma separated set of options values applicable to sessions launched via this keypair. You can add a command parameter to the options field to the authorized keys, to identify specific commands the key is allowed to run. This can be used to limit the things a passphrase-less keypair is allowed to do.

command="/usr/bin/ls" ssh-rsa AAAAB3NzaC1yc... [email protected]

This keypair can only run 'ls' remotely.

---

2) Use the ssh-agent. If you have an authenticated agent in your shell environment when you execute the script, it will provide the ssh key credentials without you having to provide a passphrase every time.

Typical usage:

You run

eval `ssh-agent`

in a shell to launch the agent-daemon. The eval expression causes agent session environment variables to be set in the shell environment.

Now you can run

ssh-add ~/.ssh/my-passphraseless-private-key.rsa 

to load the private key into the agent. The agent will ask you for the passphrase to unlock the key. Then it will cache the credentials for the lifetime of the shell. So you can run your scripts that use this key and they will not need to prompt for the passphrase.