parallel-ssh with Passphrase Protected SSH Key

I’d like to use my passphrase protected SSH key when performing tasks with parallel-ssh (and related tools). However, I can’t get this to work.

All the documentation, regarding parallel-ssh, show that I should be able to use --askpass or -A to do this:

-A
--askpass
      Prompt  for  a  password  and pass it to ssh.  The password may be 
      used for either to unlock a key or for password authentication.  The 
      password is transferred in a fairly secure manner (e.g., it will not 
      show up in argument lists).  However, be aware that a root user on 
      your system could potentially intercept the password.

However, when I enter the passphrase of my key, it doesn’t work:

$ parallel-ssh --hosts=machines --user=my_user --askpass \
    --timeout=0 --inline -v 'sudo apt-get update'
Warning: do not enter your password if anyone else has superuser
privileges or access to your account.
Password: 
[1] 09:59:36 [FAILURE] amritiii Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[2] 09:59:37 [FAILURE] gbdev Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[3] 09:59:37 [FAILURE] code Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[4] 09:59:37 [FAILURE] apollo Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[5] 09:59:37 [FAILURE] odin Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[6] 09:59:37 [FAILURE] hathor Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[7] 09:59:37 [FAILURE] ldap Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[8] 09:59:37 [FAILURE] thor Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[9] 09:59:37 [FAILURE] bioserver Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).

I’ve confirmed that my SSH key and passphrase work on each of the machines so I have no idea how to get this working.

Here is Solutions:

We have many solutions to this problem, But we recommend you to use the first solution because it is tested & true solution that will 100% work for you.

Solution 1

Assuming that parallel-ssh and pssh are equivalent then yes what you’re attempting to do should work just fine with piping the passphrase in using the -A switch.

Example

Here’s an example where I connect to 2 different systems, host1 and host2. I use the -l switch to pssh to provide a default user of root. However on host2 I override this in the -H switch by specifying the hostname as [email protected].

$ pssh -A -i -H "host1 [email protected]" -l root 'echo "hi"'
Warning: do not enter your password if anyone else has superuser
privileges or access to your account.
Password: 
[1] 21:38:00 [SUCCESS] [email protected]
hi
Stderr: 
This is a private site.  Unauthorized connections are prohibited.  
All activity may be logged.  Disconnect immediately if you object to 
this policy or are not an authorized user.

X11 forwarding request failed on channel 1
Killed by signal 1.
[2] 21:38:00 [SUCCESS] host1
hi
Stderr: 
This is a private site.  Unauthorized connections are prohibited.  
All activity may be logged.  Disconnect immediately if you object to 
this policy or are not an authorized user.

ControlSocket /home/user1/.ssh/[email protected]:22 already exists, disabling multiplexing
X11 forwarding request failed on channel 0
Killed by signal 1.

When the above works you’ll notice the output of the command I’m running, echo "hi".

Your issue

The problem you’re running into with a passphrase on your SSH key pair is due to a bug. This is the bug titled: Issue 80: Not passing passphrase?. The 4th comment to that issue shows a patch:

excerpt

#4 robine…@gmail.com

I changed the line to

  if not ( prompt.strip().lower().endswith('password:') or 
        'enter passphrase for key' in prompt.strip().lower()):

and it seems to work

References

Solution 2

I managed to get this working by installing keychain rather than manually patching the bug causing my issues.

Install and Manually Run keychain

# install keychain package
$ sudo apt-get install keychain

# add my key to the keychain, entering passphrase when asked
$ keychain ~/.ssh/id_rsa

# source the file generated by the above command
$ . ~/.keychain/$(uname -n)-sh

Run Command without Password/Passphrase Input

Now this time I don’t need my passphrase when calling parallel-ssh as the keychain takes care of the authentication:

$ parallel-ssh --hosts=machines --user=my_user --timeout=0 'sudo apt-get update'
[1] 14:52:15 [SUCCESS] amritiii 
[2] 14:52:17 [SUCCESS] odin
[3] 14:52:25 [SUCCESS] gmod
[4] 14:53:11 [SUCCESS] bioserver
[5] 14:53:14 [SUCCESS] thor
[6] 14:53:14 [SUCCESS] apollo
[7] 14:53:16 [SUCCESS] gbdev
[8] 14:53:17 [SUCCESS] code
[9] 14:53:18 [SUCCESS] hathor
[10] 14:53:34 [SUCCESS] ldap

Run keychain on login

Rather than having to manually run and add your key to the keychain, simply add the following to the end of your ~/.bash_profile:

$ keychain --clear $HOME/.ssh/id_rsa
$ . $HOME/.keychain/$(uname -n)-sh

This ensures that on your first login, following a reboot, you are prompted for your key’s passphrase. Your key will then stay in the keychain till the next reboot or you clear the keychain manually.

Cron Jobs Using the keychain

With the above entered into your ~/.bash_profile file, you can take advantage of the fact you’re key is now stored in the keychain by souring the same file before your cronjob is run. For example I have a backup script which runs at 21:00 each night and copies stuff to a remote computer via SSH. This is an entry in my crontab (crontab -e):

 0 21 * * * . $HOME/.keychain/$(uname -n)-sh; $HOME/backup_script.sh

Solution 3

Use the ssh-agent to authenticate automatically ( with a shell name as argument to have the agent environment variables set in that new shell).
Add the key with ssh-add and type your password only once.

$ ssh-agent bash
$ ssh-add
Enter passphrase for /xxxx/.ssh/identity: 
$ 
$ pssh ...

Note: Use and implement solution 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply