Batch script pass variable to stdin with git and ssh keys

Question

I'm attempting to write a batch script to clone a bunch of repositories. My problem is that the user has a password protected ssh key. So each time I run call git clone blah@blah/blah.git in my batch file I have to input the users password. I know I can get the password from them as set \p userpwd=[Enter ssh pwd] but how do I pass this to each call?

Answer 1

So as everyone else stated, using ssh-agent is the real recommended way to go here.

But if you really want to get your hands dirty scripting, and the password is the same across the keys/repos, you could make use of the special SSH_ASKPASS environment variable. This lets you set the "program" to execute when SSH wants to prompt for a password. You could always just point it to some script on disk that just spits out the password you grabbed from the user at the beginning.

Basically take the user's password, write it to a tmp file that will just echo it out, set the SSH_ASKPASS environment variable to that script and then proceed with your git/ssh operations.

See http://dovetail.com/forum/viewtopic.php?t=822 and http://git.661346.n2.nabble.com/SSH-ASKPASS-td2137400.html for related threads.

Answer 2

Here is a way to acheive the same effect, but with different steps than what you hinted in your question:

1. Start ssh-agent
2. Add your key with ssh-add (it will ask for the password, just once)
3. Launch as many git clone <url> as you need
4. Clean up

Step two will ask for a password, instead of using set /p. The following batch file is somewhat of a port of github's ssh key guidelines. I tested it with a ssh connection to gitorious, running git version 1.7.6.msysgit.0 under cmd.exe in Windows Vista.

@rem Do not use "echo off" to not affect any child calls.
@setlocal

@:: Find out where is git installed
@where git > __wheregit.txt

@:: Under XP, there is no where command. Use this (thanks to Raymond Chen)
@:: http://blogs.msdn.com/b/oldnewthing/archive/2005/01/20/357225.aspx
@:: (for %%e in (%PATHEXT%) do @for %%i in (git%%e) do @if NOT "%%~$PATH:i"=="" echo %%~$PATH:i) > __wheregit.txt

@:: Move it to a environment variable, we will need to manipulate the string
@set /p wheregit= <__wheregit.txt
@del __wheregit.txt

@:: Parse the full file name of git.cmd to find the the path
@for /F "delims=" %%I in ("%wheregit:~0,-7%..") do @set git_install_root=%%~fI
@set PATH=%git_install_root%\bin;%git_install_root%\mingw\bin;%PATH%

@:: The keys are in the home directory.
@if not exist "%HOME%" @set HOME=%HOMEDRIVE%%HOMEPATH%
@if not exist "%HOME%" @set HOME=%USERPROFILE%

@ ::start ssh-agent, and save its output
@ssh-agent > __ssh-agent.out

@ ::parse the output and set environment vars needed by ssh-add
@FOR /F "eol=; tokens=1* delims=;" %%i in ('findstr /v echo __ssh-agent.out') do @set %%i
@del __ssh-agent.out

@ ::add the key to the agent (this will ask for the password)
@ssh-add %HOME%\.ssh\id_rsa

@ ::Call git. When it's time to use the key, its password will be provided by ssh-agent
@ ::Obviously you will put your git clone url here
@call git clone git@gitorious.org:siaki-sso/siaki-sp.git
@call git clone git@gitorious.org:siaki-sso/siaki-idp.git

@ ::Kill ssh-agent
@ssh-agent -k

@endlocal

Answer 3

ssh-agent is nice, but for scripts I prefer OpenSSH's ControlMaster feature.

With ControlMaster mode, you can have your script connect once, leave it running in the background, and then have other ssh instances (including scp, rsync, git, etc.) reuse that existing connection. This makes it possible for the user to only type the password once (when the control master is set up) even though multiple ssh commands are executed.

Search for ControlMaster in man ssh_config for details.

Advantages over ssh-agent:

• Users don't have to understand what ssh keys are or how ssh-agent works.
• Users don't have to generate an ssh public/private key pair, which is important if the script will be run by many users. (Most people don't understand ssh keys, so getting a large group of people to generate them is a tiring exercise.)
• Users don't have to copy their public key to the remote server
• Users don't have to remember to run ssh-agent
• Users don't have to remember to run ssh-add
• Depending on how it is configured, ssh-agent might time out the user's keys part-way through the script; this won't
• Only one TCP session is started, so it is much faster if the script connects over and over again (e.g., copying many small files one at a time)

Disadvantages:

• It's more complicated to code up. My answer to a similar question contains some example UNIX shell code.
• It only facilitates additional connections to the same server (ssh-agent can be used to connect to many different servers)
• OpenSSH was designed to be used on UNIX-like systems; I don't know if the ControlMaster feature works on Windows

Answer 4

Let's see if I understand this correctly (I haven't used git so forgive me if I am way off here) You need to pass a pw into a batch file command? http://dos.rsvs.net/DOSPAGE/BATCHCOM.HTM#3
This is a pretty good explanation on piping inputs into .bat files which should allow you to auto input directions.

Answer 5

The best way to avoid typing in a passphrase for an ssh key every time it is needed is to use ssh-agent. Most linux distributions start ssh-agent as part of the user session. To start using ssh-agent run ssh-add and type in the passphrase for your key once. When you run a command that uses ssh it will get the decrypted key from ssh-agent rather than prompting you for the passphrase. Some distributions even have a feature where it will store your passphrase in a keyring and set up ssh-agent for you as part of your login.

Answer 6

Take a look at http://mah.everybody.org/docs/ssh. We were able to successfully use this with the Putty ssh client for Windows.

This will prevent the user from being prompted for a password. That would be better than passing the password on the call, imho.

Answer 7

Add their public key to the authenticated hosts file on the server. You won't need to worry about the prompt at all. --- and use keys without pass phrases.