8

I'd like to use my passphrase protected SSH key when performing tasks with parallel-ssh (and related tools). However, I can't get this to work.

All the documentation, regarding parallel-ssh, show that I should be able to use --askpass or -A to do this:

-A
--askpass
      Prompt  for  a  password  and pass it to ssh.  The password may be 
      used for either to unlock a key or for password authentication.  The 
      password is transferred in a fairly secure manner (e.g., it will not 
      show up in argument lists).  However, be aware that a root user on 
      your system could potentially intercept the password.

However, when I enter the passphrase of my key, it doesn't work:

$ parallel-ssh --hosts=machines --user=my_user --askpass \
    --timeout=0 --inline -v 'sudo apt-get update'
Warning: do not enter your password if anyone else has superuser
privileges or access to your account.
Password: 
[1] 09:59:36 [FAILURE] amritiii Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[2] 09:59:37 [FAILURE] gbdev Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[3] 09:59:37 [FAILURE] code Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[4] 09:59:37 [FAILURE] apollo Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[5] 09:59:37 [FAILURE] odin Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[6] 09:59:37 [FAILURE] hathor Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[7] 09:59:37 [FAILURE] ldap Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[8] 09:59:37 [FAILURE] thor Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[9] 09:59:37 [FAILURE] bioserver Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).

I've confirmed that my SSH key and passphrase work on each of the machines so I have no idea how to get this working.

Improve this question
2
  • I'm assuming that parallel-ssh is the same as pssh?
    – slm
    Commented May 12, 2014 at 1:25
  • Yes, parallel-ssh and pssh are indeed the same.
    – Nathan S. Watson-Haigh
    Commented May 12, 2014 at 2:50

3 Answers 3

Reset to default
5

Assuming that parallel-ssh and pssh are equivalent then yes what you're attempting to do should work just fine with piping the passphrase in using the -A switch.

Example

Here's an example where I connect to 2 different systems, host1 and host2. I use the -l switch to pssh to provide a default user of root. However on host2 I override this in the -H switch by specifying the hostname as user1@host2. 

$ pssh -A -i -H "host1 user1@host2" -l root 'echo "hi"'
Warning: do not enter your password if anyone else has superuser
privileges or access to your account.
Password: 
[1] 21:38:00 [SUCCESS] user1@host2
hi
Stderr: 
This is a private site.  Unauthorized connections are prohibited.  
All activity may be logged.  Disconnect immediately if you object to 
this policy or are not an authorized user.

X11 forwarding request failed on channel 1
Killed by signal 1.
[2] 21:38:00 [SUCCESS] host1
hi
Stderr: 
This is a private site.  Unauthorized connections are prohibited.  
All activity may be logged.  Disconnect immediately if you object to 
this policy or are not an authorized user.

ControlSocket /home/user1/.ssh/[email protected]:22 already exists, disabling multiplexing
X11 forwarding request failed on channel 0
Killed by signal 1.

When the above works you'll notice the output of the command I'm running, echo "hi".

Your issue

The problem you're running into with a passphrase on your SSH key pair is due to a bug. This is the bug titled: Issue 80: Not passing passphrase?. The 4th comment to that issue shows a patch:

excerpt

#4 [email protected]

I changed the line to

  if not ( prompt.strip().lower().endswith('password:') or 
        'enter passphrase for key' in prompt.strip().lower()):

and it seems to work

References

Improve this answer
4
  • Thanks for your input slm. parallel-ssh and pssh are indeed the same. I wasn't asking if it was possible - the documentation makes it clear that it is possible. I'm having trouble with actually getting it to work as it is documented.
    – Nathan S. Watson-Haigh
    Commented May 12, 2014 at 2:49
  • 1
    @NathanS.Watson-Haigh - see update. It's a bug, I've ref'd the patch.
    – slm
    Commented May 12, 2014 at 5:24
  • This is indeed the issue which is affecting me. However, since the authors of parallel-ssh are still unsure how best to detect the password prompt question and thus respond with the password/phrase entered, I'm going to stick with my keychain method. I wouldn't want my passphrase to be inadvertantly revealed to the wrong question prompt.
    – Nathan S. Watson-Haigh
    Commented May 12, 2014 at 5:36
  • 1
    I'll accept this as the answer as you managed to figure out that this was a known bug in the way parallel-ssh passes the passphrase to SSH. However, for those who come across this question in future, this bug may have been fixed or you may choose not to edit the askpass_client.py file. In either case, you can get around this using the keychain answer (unix.stackexchange.com/a/128998/57414) or the ssh-agent answer (unix.stackexchange.com/a/129022/57414)
    – Nathan S. Watson-Haigh
    Commented May 12, 2014 at 23:47
5

I managed to get this working by installing keychain rather than manually patching the bug causing my issues.

Install and Manually Run keychain

# install keychain package
$ sudo apt-get install keychain

# add my key to the keychain, entering passphrase when asked
$ keychain ~/.ssh/id_rsa

# source the file generated by the above command
$ . ~/.keychain/$(uname -n)-sh

Run Command without Password/Passphrase Input

Now this time I don't need my passphrase when calling parallel-ssh as the keychain takes care of the authentication:

$ parallel-ssh --hosts=machines --user=my_user --timeout=0 'sudo apt-get update'
[1] 14:52:15 [SUCCESS] amritiii 
[2] 14:52:17 [SUCCESS] odin
[3] 14:52:25 [SUCCESS] gmod
[4] 14:53:11 [SUCCESS] bioserver
[5] 14:53:14 [SUCCESS] thor
[6] 14:53:14 [SUCCESS] apollo
[7] 14:53:16 [SUCCESS] gbdev
[8] 14:53:17 [SUCCESS] code
[9] 14:53:18 [SUCCESS] hathor
[10] 14:53:34 [SUCCESS] ldap

Run keychain on login

Rather than having to manually run and add your key to the keychain, simply add the following to the end of your ~/.bash_profile:

$ keychain --clear $HOME/.ssh/id_rsa
$ . $HOME/.keychain/$(uname -n)-sh

This ensures that on your first login, following a reboot, you are prompted for your key's passphrase. Your key will then stay in the keychain till the next reboot or you clear the keychain manually.

Cron Jobs Using the keychain

With the above entered into your ~/.bash_profile file, you can take advantage of the fact you're key is now stored in the keychain by souring the same file before your cronjob is run. For example I have a backup script which runs at 21:00 each night and copies stuff to a remote computer via SSH. This is an entry in my crontab (crontab -e):

 0 21 * * * . $HOME/.keychain/$(uname -n)-sh; $HOME/backup_script.sh
Improve this answer
1

Use the ssh-agent to authenticate automatically ( with a shell name as argument to have the agent environment variables set in that new shell). Add the key with ssh-add and type your password only once.

$ ssh-agent bash
$ ssh-add
Enter passphrase for /xxxx/.ssh/identity: 
$ 
$ pssh ...
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .