scripted Private key without blank password

Advertisement

Mike@inn
Guest

scripted Private key without blank password

Hi,
I am trying to automate an ftp transfer and I can't find a way to pass the private key password into the command line. I've check the site and FAQ and all I can find is use a blank passphrase or use an authentication program.
The problem with an authentication program is that if the power goes out and the computer reboots some one would have to go out there and re-type in the passphrase locally.
The problem with a blank passphrase is that my sFTP server doesn't accept a blank passphrase and, according to puttygen, there is no encryption on the private key if there is no password so it is sent in the clear.
I trust the physical security of the machine but I don't trust the internet to send a clear-text private key. Is there any way to pass through the private key passphrase automatically?

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
40,476
Location:
Prague, Czechia

Re: scripted Private key without blank password

Mike@inn wrote:

The problem with a blank passphrase is that my sFTP server doesn't accept a blank passphrase
That's nonsense. The server does not care (even does not know) how you keep the key stored on your machine.

and, according to puttygen, there is no encryption on the private key if there is no password so it is sent in the clear.
That's also not true. I do not even think anything like that is mentioned in the puttygen doc. Again the way you keep key stored on your machine does not have any impact on the way the key is transferred. Also only public part of the key is transferred (which is not stored encrypted anyway, even if you use passphrase). Privite part never leaves your local computer. So there's no risk.

Reply with quote

Guest

Re: scripted Private key without blank password

It turns out the must have password was a setting on my server. As for the encryption thats said in the private key itself.
From one with a password:
PuTTY-User-Key-File-2: ssh-rsa
Encryption: aes256-cbc
Comment: rsa-key-20080609

from one without a password:
PuTTY-User-Key-File-2: ssh-rsa
Encryption: none
Comment: rsa-key-20080611

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
40,476
Location:
Prague, Czechia

Re: scripted Private key without blank password

It turns out the must have password was a setting on my server.
Account password is not the same as key passphrase.

As for the encryption thats said in the private key itself.
I'm not here to explain you how public key authentication works, but only shortly:
The ppk file consists of two parts, public key file and private key file. Public key is stored unencrypted, whether you use passphrase or not. Private key is encrypted only if you use passphrase. When authenticating, only the public key is sent via internet. Being PUBLIC, it does not matter if ANYONE gets an access to it.

If you do not believe, well that's your problem.

But you can try simple test. Make new encrypted key, that you do not tell the server about. Try to authenticate using it. You will get message "server refused our key", without ever being asked for passphrase... How this is possible? Because what I wrote above is true. WinSCP can read the public part of the key, which is used for the authentication, without passphrase, even though the key is encrypted. Because the public part is not! And the server can verify your public key, even before WinSCP tries to decode the private part (for what it would need passphrase if the key is encrypted). So it does not even know, if you have the private key encrypted. It can hardly require the key to be encrypted, if it cannot tell whether it is.

Reply with quote

Guest

Calm down, its not that I don't believe you its that I didn't understand. I thought the private key was sent.
Thanks for your help.

Reply with quote

Advertisement

You can post new topics in this forum