39

I can connect to a server via SSH using the -i option to specify the private key:

ssh -i ~/.ssh/id_dsa user@hostname

I am creating a script that takes the id_dsa text from the database but I am not sure how I can give that string to SSH. I would need something like:

ssh --option $STRING user@hostname

Where $STRING contains the value of id_dsa. I need to know the --option if there is one.

AlG
  • 14,097
  • 4
  • 41
  • 53
rtacconi
  • 13,518
  • 19
  • 65
  • 84

3 Answers3

41

Try the following:

echo $KEY | ssh -i /dev/stdin username@host command

The key doesn't appear from a PS statement, but because stdin is redirected it's only useful for single commands or tunnels.

user2132025
  • 419
  • 1
  • 4
  • 2
  • 1
    Not working with ssh 6.9p1: Pseudo-terminal will not be allocated because stdin is not a terminal. – sivann Nov 09 '15 at 20:04
  • 2
    note also, if you use this verbatim, replacing $KEY with your actual key, you'll leak it through your shell's history. The key should really come from stdin, not from shell. – Olaf Kock Mar 02 '17 at 19:27
  • 8
    This only gives me: ```@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0660 for '/dev/stdin' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key "/dev/stdin": bad permissions Permission denied (publickey).``` – MPV Apr 10 '17 at 14:47
  • will work via `fifo`, see https://unix.stackexchange.com/a/235392/78029 – ab77 Jul 18 '18 at 19:36
15

There is no such switch - as it would leak sensitive information. If there were, anyone could get your private key by doing a simple ps command.

EDIT: (because of theg added details in comment)

You really should store the key in to a temporary file. Make sure you set the permissions correctly before writing to the file, if you do not use command like mktemp to create the temporary file.

Make sure you run the broker (or agent in case of OpenSSH) process and load the key using <whatever command you use to fetch it form the database> | ssh-add -

Kimvais
  • 36,728
  • 16
  • 105
  • 138
  • 3
    I am not sure if I understand your second paragraph. I do not want any agent involved. I am using ssh shell command in a Ruby application, where I have an infrastructure with associated a public and private key. With the private key, taken from the record of the infrastructure, I want to connect and run a command on a remote host . That's why I want to keep the private key in the record of the infrastructure. But probably is better to store the path of a file and pass the path to ssh command. – rtacconi Aug 20 '12 at 18:00
  • 2
    @rtacconi You could implement the [ssh-agent protocol](http://api.libssh.org/rfc/PROTOCOL.agent). – ephemient Aug 20 '12 at 19:29
  • @kimvais I checked in the man ssh and I cannot see any option to use a string instead of a file. – rtacconi Aug 21 '12 at 08:31
  • 3
    I disagree with this sentiment. I'd argue that transient data is always more secure than permanent data. With the right tools most deleted files can still be read. I'm looking for a solution which receives keys from a server and utilizes them on the fly as part of a CI process. Perhaps a shell is the wrong tool for this? – Alex Jansen Jan 15 '19 at 01:50
2

Passing cryptokey as a string is not advisable but for the sake of the question, I would say I came across the same situation where I need to pass key as a string in a script. I could use key stored in a file too but the nature of the script is to make it very flexible, containing everything in itself was a requirement. so I used to assign variable and pass it and echo it as follows :

#!/bin/bash
KEY="${ YOUR SSH KEY HERE INSIDE }"
echo "${KEY}" | ssh -q -i /dev/stdin username@IP 'hostnamectl'
exit 0

Notes: -q suppress all warnings

By the way , the catch here in above script, since we are using echo it will print the ssh key which is again not recommended , to hide that you can use grep to grep some anything which will not be printed for sure but still stdin will have the value from the echo. So the final cmd can be modified as follows :

#!/bin/bash
KEY="${ YOUR SSH KEY HERE INSIDE }"
echo "${KEY}" | grep -qw "less" | ssh -q -i /dev/stdin username@IP 'hostnamectl'
exit 0

This worked for me.

SAGAR BHOOSHAN
  • 239
  • 2
  • 7