Erlang's ssh client and password-protected private keys

fhunleth · July 19, 2017, 8:11pm

I was wondering how others handle password-protected private keys with Erlang’s ssh client (:ssh.connect/[3,4]). I’m currently passing the password in the clear with the :rsa_pass_phrase option to :ssh.connect/3. That’s not desirable to say the least.

It would be great if I could somehow use ssh-agent, but that doesn’t look possible with since the ssh_client_key_api API requires you to return decrypted private keys and not forward the negotiation steps. At least from my brief skim of the ssh-agent protocol, it won’t return a decrypted private key. That makes sense, though,

I may end up prompting for the password everytime the key is needed. From a workflow perspective, though, entering in a password is not great so I’m hoping for other options.

OvermindDL1 · July 19, 2017, 8:50pm

I usually get it from the environment or so. You have to get the password from ‘somewhere’, so it depends on where you are getting it from.

bbense · July 19, 2017, 9:27pm

I really wish the ssh library worked with both certs and ssh-agent, it’s kind of useless to me w/o that support. I guess I need to start looking at some code.

OvermindDL1 · July 19, 2017, 9:31pm

Make a library so it can, I bet others would love it too!

kenny-evitt · February 25, 2022, 6:58pm

I just ran into this myself and thought the original participants and anyone (like me) that’s since found this post might be interested to know that there is (now at least) an Erlang ssh_agent module:

Erlang – ssh_agent

Example usage (with the Elixir sshex package):

{:ok, ssh_conn} = SSHEx.connect(ip: ip_address, user: user, key_cb: {:ssh_agent, []})

It seems to work (for me anyways)!