Erlang's ssh client and password-protected private keys

I was wondering how others handle password-protected private keys with Erlang’s ssh client (:ssh.connect/[3,4]). I’m currently passing the password in the clear with the :rsa_pass_phrase option to :ssh.connect/3. That’s not desirable to say the least.

It would be great if I could somehow use ssh-agent, but that doesn’t look possible with since the ssh_client_key_api API requires you to return decrypted private keys and not forward the negotiation steps. At least from my brief skim of the ssh-agent protocol, it won’t return a decrypted private key. That makes sense, though,

I may end up prompting for the password everytime the key is needed. From a workflow perspective, though, entering in a password is not great so I’m hoping for other options.


I usually get it from the environment or so. You have to get the password from ‘somewhere’, so it depends on where you are getting it from.

1 Like

I really wish the ssh library worked with both certs and ssh-agent, it’s kind of useless to me w/o that support. I guess I need to start looking at some code.


Make a library so it can, I bet others would love it too! :slight_smile:


I just ran into this myself and thought the original participants and anyone (like me) that’s since found this post might be interested to know that there is (now at least) an Erlang ssh_agent module:

Example usage (with the Elixir sshex package):

{:ok, ssh_conn} = SSHEx.connect(ip: ip_address, user: user, key_cb: {:ssh_agent, []})

It seems to work (for me anyways)!