tags:

views:

3141

answers:

3

I have cloned my git repository over ssh. So, each time I communicate with the origin master by pushing or pulling, I have to reenter my passphrase. How can I configure git so that I do not need to enter my passphrase multiple times?

Update: I should have said "password" instead of "passphrase".

+4  A: 

This is about configuring ssh, not git. If you haven't already, you should use ssh-keygen (with a blank passphrase) to create a key pair. Then, you copy the public key to the remote destination with ssh-copy-id. Unless you have need of multiple keys (e.g. a more secure one with a passphrase for other purposes) or you have some really weird multiple-identity stuff going on, it's this simple:

ssh-keygen   # enter a few times to accept defaults
ssh-copy-id -i ~/.ssh/id_rsa user@host

Edit: You should really just read DigitalRoss's answer, but: if you use keys with passphrases, you'll need to use ssh-add <key-file> to add them to ssh-agent (and obviously start up an ssh-agent if your distribution doesn't already have one running for you).

Jefromi
I'm not sure this answers the question, he must have already done that or he would not be able to reach the site. The answer he needs is: `ssh-agent`, as he wants to bypass the enter-the-passphrase-every-time problem. Not downvoting but I think you need to improve this answer, unless I'm the one that misunderstood...
DigitalRoss
@DigitalRoss: Ah, I wasn't sure from reading the question if the OP actually had the keys set up. You're probably right though, and I was deliberately trying to suggest not using a passphrase. However, you're of course right about `ssh-agent`. +1 to you!
Jefromi
I am confused whether I need to use ssh-keygen or ssh-add. In my ~/.ssh/ directory I only have two files: config and known_hosts.It seems that ssh-add requires another file ~/.ssh/id_rsa. Should I create that file first using ssh-keygen as @Jefromi explained?
reprogrammer
Yes, you need to create the key before you can copy it to the remote server. I think perhaps we were confused by your use of the word "passphrase" - that's what `ssh-*` calls the passphrase needed to make use of the key - where you really meant your actual user password on the remote?
Jefromi
Yes, I should have said password instead of passphrase.
reprogrammer
You should be okay now then, right? Use ssh-keygen and ssh-copy-id as I described above. Or give a passphrase if you're really worried about security, and use ssh-agent, looking at DigitalRoss' answer.
Jefromi
Yes, you should have said password, which is an authentication method, rather than passphrase, which meant that you had an encrypted private key. In the former case it's the server asking, in the later case it's your clientt. It's considered unprofessional to use a null passphrase private key, if you do, it's like leaving a password around that works on every instance out there of your public key.
DigitalRoss
+5  A: 

Try ssh-add, you need ssh-agent to be running and holding your private key

(Ok, responding to the updated question, you first run ssh-keygen to generate a public and private key as Jefromi explained.. You put the public key on the server. You should use a passphrase, if you don't you have the equivalent of a plain-text password in your private key. But if you do, then you need as a practical matter ssh-agent as explained below.)

You need to be running ssh-agent in the background when you log in, and then the first time you log in, run ssh-add to give the agent your passphrase. All ssh-family commands will then consult the agent and automatically be able to use your private key.

On GNOME and KDE systems, ssh-agent is probably already launched automatically for you. I will go through the details in case, like me, you also have a Cygwin or other windows environment where this most certainly is not done for you.

Start here: man ssh-agent.

There are a multitude of ways to automatically run the agent. As the man page explains, you can either run it so that it is a parent of all the other processes and arrange for the environment variables it provides (for interprocess contact) to automatically be in all child environments, or you can run the agent as an ordinary child, save the enviroment settings in a file, and source that file in every shell when they start.

My Ubuntu install automatically did the agent launch setup, so all I had to do was run ssh-add once every time I reboot. Try running ssh-agent and see if it works, if so, then you just need to do that once per reboot.

My Cygwin system needed it done manually, so I did this in my .profile and I have .bashrc source .profile:

. .agent > /dev/null
ps -p $SSH_AGENT_PID | grep ssh-agent > /dev/null || {
        ssh-agent > .agent
        . .agent > /dev/null
}

The .agent file is created automatically by the script; it contains the environment variables definitions and exports. The above tries to source the .agent file, and then tries to ps(1) the agent. If it doesn't work it starts an agent and creates a new agent file. You can also just run ssh-add and if it fails start an agent.

DigitalRoss
+3  A: 

Hello,

I think there are two different things here. The first one is that normal SSH authentication requires the user to put the account's password (where the account password will be authenticated against different methods, depending on the sshd configuration).

You can avoid putting that password using certificates. With certificates you still have to put a password, but this time is the password of your private key (that's independent of the account's password).

To do this you can follow the instructions pointed out by steveth45:

With Public Key Authentication.

If you want to avoid putting the certificate's password every time then you can use ssh-agent, as pointed out by DigitalRoss

The exact way you do this depends on Unix vs Windows, but essentially you need to run ssh-agent in the background when you log in, and then the first time you log in, run ssh-add to give the agent your passphrase. All ssh-family commands will then consult the agent and automatically pick up your passphrase.

Start here: man ssh-agent.

The only problem of ssh-agent is that, on *nix at least, you have to put the certificates password on every new shell. And then the certificate is "loaded" and you can use it to authenticate against an ssh server without putting any kind of password. But this is on that particular shell.

With keychain you can do the same thing as ssh-agent but "system-wide". Once you turn on your computer, you open a shell and put the password of the certificate. And then, every other shell will use that "loaded" certificate and your password will never be asked again until you restart your PC.

Gnome has a similar application, called Gnome Keyring that asks for your certificate's password the first time you use it and then it stores it securely so you won't be asked again.

Gastón
I use **keychain** myself: very useful.
Jakub Narębski