parallel-ssh with Passphrase Protected SSH Key
Assuming that parallel-ssh
and pssh
are equivalent then yes what you're attempting to do should work just fine with piping the passphrase in using the -A
switch.
Example
Here's an example where I connect to 2 different systems, host1
and host2
. I use the -l
switch to pssh
to provide a default user of root
. However on host2
I override this in the -H
switch by specifying the hostname as user1@host2
.
$ pssh -A -i -H "host1 user1@host2" -l root 'echo "hi"'
Warning: do not enter your password if anyone else has superuser
privileges or access to your account.
Password:
[1] 21:38:00 [SUCCESS] user1@host2
hi
Stderr:
This is a private site. Unauthorized connections are prohibited.
All activity may be logged. Disconnect immediately if you object to
this policy or are not an authorized user.
X11 forwarding request failed on channel 1
Killed by signal 1.
[2] 21:38:00 [SUCCESS] host1
hi
Stderr:
This is a private site. Unauthorized connections are prohibited.
All activity may be logged. Disconnect immediately if you object to
this policy or are not an authorized user.
ControlSocket /home/user1/.ssh/[email protected]:22 already exists, disabling multiplexing
X11 forwarding request failed on channel 0
Killed by signal 1.
When the above works you'll notice the output of the command I'm running, echo "hi"
.
Your issue
The problem you're running into with a passphrase on your SSH key pair is due to a bug. This is the bug titled: Issue 80: Not passing passphrase?. The 4th comment to that issue shows a patch:
excerpt
#4 [email protected]
I changed the line to
if not ( prompt.strip().lower().endswith('password:') or 'enter passphrase for key' in prompt.strip().lower()):
and it seems to work
References
- PSSH : Parallel SSH to execute commands on a number of hosts
I managed to get this working by installing keychain
rather than manually patching the bug causing my issues.
Install and Manually Run keychain
# install keychain package
$ sudo apt-get install keychain
# add my key to the keychain, entering passphrase when asked
$ keychain ~/.ssh/id_rsa
# source the file generated by the above command
$ . ~/.keychain/$(uname -n)-sh
Run Command without Password/Passphrase Input
Now this time I don't need my passphrase when calling parallel-ssh
as the keychain takes care of the authentication:
$ parallel-ssh --hosts=machines --user=my_user --timeout=0 'sudo apt-get update'
[1] 14:52:15 [SUCCESS] amritiii
[2] 14:52:17 [SUCCESS] odin
[3] 14:52:25 [SUCCESS] gmod
[4] 14:53:11 [SUCCESS] bioserver
[5] 14:53:14 [SUCCESS] thor
[6] 14:53:14 [SUCCESS] apollo
[7] 14:53:16 [SUCCESS] gbdev
[8] 14:53:17 [SUCCESS] code
[9] 14:53:18 [SUCCESS] hathor
[10] 14:53:34 [SUCCESS] ldap
Run keychain on login
Rather than having to manually run and add your key to the keychain, simply add the following to the end of your ~/.bash_profile
:
$ keychain --clear $HOME/.ssh/id_rsa
$ . $HOME/.keychain/$(uname -n)-sh
This ensures that on your first login, following a reboot, you are prompted for your key's passphrase. Your key will then stay in the keychain till the next reboot or you clear the keychain manually.
Cron Jobs Using the keychain
With the above entered into your ~/.bash_profile
file, you can take advantage of the fact you're key is now stored in the keychain by souring the same file before your cronjob is run. For example I have a backup script which runs at 21:00 each night and copies stuff to a remote computer via SSH. This is an entry in my crontab (crontab -e
):
0 21 * * * . $HOME/.keychain/$(uname -n)-sh; $HOME/backup_script.sh