Batch script pass variable to stdin with git and ssh keys
I’m attempting to write a batch script to clone a bunch of repositories. My problem is that the user has a password protected ssh key. So each time I run
call git clone blah@blah/blah.git in my batch file I have to input the users password. I know I can get the password from them as
set \p userpwd=[Enter ssh pwd] but how do I pass this to each call?
7 Solutions collect form web for “Batch script pass variable to stdin with git and ssh keys”
Here is a way to acheive the same effect, but with different steps than what you hinted in your question:
- Add your key with
ssh-add(it will ask for the password, just once)
- Launch as many
git clone <url>as you need
- Clean up
Step two will ask for a password, instead of using
set /p. The following batch file is somewhat of a port of github’s ssh key guidelines. I tested it with a ssh connection to gitorious, running git version 1.7.6.msysgit.0 under cmd.exe in Windows Vista.
@rem Do not use "echo off" to not affect any child calls. @setlocal @:: Find out where is git installed @where git > __wheregit.txt @:: Under XP, there is no where command. Use this (thanks to Raymond Chen) @:: http://blogs.msdn.com/b/oldnewthing/archive/2005/01/20/357225.aspx @:: (for %%e in (%PATHEXT%) do @for %%i in (git%%e) do @if NOT "%%~$PATH:i"=="" echo %%~$PATH:i) > __wheregit.txt @:: Move it to a environment variable, we will need to manipulate the string @set /p wheregit= <__wheregit.txt @del __wheregit.txt @:: Parse the full file name of git.cmd to find the the path @for /F "delims=" %%I in ("%wheregit:~0,-7%..") do @set git_install_root=%%~fI @set PATH=%git_install_root%\bin;%git_install_root%\mingw\bin;%PATH% @:: The keys are in the home directory. @if not exist "%HOME%" @set HOME=%HOMEDRIVE%%HOMEPATH% @if not exist "%HOME%" @set HOME=%USERPROFILE% @ ::start ssh-agent, and save its output @ssh-agent > __ssh-agent.out @ ::parse the output and set environment vars needed by ssh-add @FOR /F "eol=; tokens=1* delims=;" %%i in ('findstr /v echo __ssh-agent.out') do @set %%i @del __ssh-agent.out @ ::add the key to the agent (this will ask for the password) @ssh-add %HOME%\.ssh\id_rsa @ ::Call git. When it's time to use the key, its password will be provided by ssh-agent @ ::Obviously you will put your git clone url here @call git clone firstname.lastname@example.org:siaki-sso/siaki-sp.git @call git clone email@example.com:siaki-sso/siaki-idp.git @ ::Kill ssh-agent @ssh-agent -k @endlocal
The best way to avoid typing in a passphrase for an ssh key every time it is needed is to use ssh-agent. Most linux distributions start ssh-agent as part of the user session. To start using ssh-agent run
ssh-add and type in the passphrase for your key once. When you run a command that uses ssh it will get the decrypted key from ssh-agent rather than prompting you for the passphrase. Some distributions even have a feature where it will store your passphrase in a keyring and set up ssh-agent for you as part of your login.
So as everyone else stated, using ssh-agent is the real recommended way to go here.
But if you really want to get your hands dirty scripting, and the password is the same across the keys/repos, you could make use of the special SSH_ASKPASS environment variable.
This lets you set the “program” to execute when SSH wants to prompt for a password. You could always just point it to some script on disk that just spits out the password you grabbed from the user at the beginning.
Basically take the user’s password, write it to a tmp file that will just echo it out, set the SSH_ASKPASS environment variable to that script and then proceed with your git/ssh operations.
See http://dovetail.com/forum/viewtopic.php?t=822 and http://git.661346.n2.nabble.com/SSH-ASKPASS-td2137400.html for related threads.
Take a look at http://mah.everybody.org/docs/ssh. We were able to successfully use this with the Putty ssh client for Windows.
This will prevent the user from being prompted for a password. That would be better than passing the password on the call, imho.
Let’s see if I understand this correctly (I haven’t used git so forgive me if I am way off here) You need to pass a pw into a batch file command?
This is a pretty good explanation on piping inputs into .bat files which should allow you to auto input directions.
ssh-agent is nice, but for scripts I prefer OpenSSH’s
ControlMaster mode, you can have your script connect once, leave it running in the background, and then have other ssh instances (including
git, etc.) reuse that existing connection. This makes it possible for the user to only type the password once (when the control master is set up) even though multiple ssh commands are executed.
man ssh_config for details.
- Users don’t have to understand what ssh keys are or how
- Users don’t have to generate an ssh public/private key pair, which is important if the script will be run by many users. (Most people don’t understand ssh keys, so getting a large group of people to generate them is a tiring exercise.)
- Users don’t have to copy their public key to the remote server
- Users don’t have to remember to run
- Users don’t have to remember to run
- Depending on how it is configured,
ssh-agentmight time out the user’s keys part-way through the script; this won’t
- Only one TCP session is started, so it is much faster if the script connects over and over again (e.g., copying many small files one at a time)
- It’s more complicated to code up. My answer to a similar question contains some example UNIX shell code.
- It only facilitates additional connections to the same server (
ssh-agentcan be used to connect to many different servers)
- OpenSSH was designed to be used on UNIX-like systems; I don’t know if the
ControlMasterfeature works on Windows
Add their public key to the authenticated hosts file on the server. You won’t need to worry about the prompt at all. — and use keys without pass phrases.