Git commit when SSH key has password

[mhite]

Hopefully I'm not blind, but is there a way for git-rancid to use an SSH key password when performing a commit to github.com?

[dotwaffle]

There isn't, no. The only way I can see of doing this is to run gpg-agent and cache the passphrase in there.

Does that help?

[mhite]

Ok, thanks for the confirmation! I actually set a passphrase on my SSH key used to log into switches, and rancid itself supports this fine through the "add passphrase" directive in .cloginrc. However, when it comes time to commit the detected changes, git bombs out because no passphrase is supplied.

I removed the passphrase for the time being, but it's certainly something to think about implementing if possible.

[dotwaffle]

Ok, I'll keep it as an active issue then. Not entirely sure how to implement it, but that's part of the fun ;)

[mhite]

Great -- thanks!

[K0HAX]

I would argue: what is the point of having a passphrase if it has to be in clear text in a configuration file the user you're worrying about has access to?

[dotwaffle]

The primary purpose of a key isn't that you don't have to remember a password, it's that your system can only be logged into by something far stronger than a password. However many passwords you set, they're not going to be as strong as a decently strong key. Ultimately, it's also easier to manage keys -- but it's far harder to audit how secure they are, precisely because people can remove passphrases from them.

Hope that helps.

[dotwaffle]

Ok, so after some serious thought about this, I'm going to reject this issue.

Either the ssh key should not have a passphrase or git itself should be configured with a credential cache. This isn't a rancid issue unfortunately and is more an implementation issue.

Sorry for the delay in getting around to this!