Install
openclaw skills install @agilebuilder/ssh-remoteConnect to remote Linux servers through SSH and execute commands non-interactively. Covers password authentication, key authentication, file transfer, and cross-platform usage on Windows with Git Bash, macOS, and Linux. Use when the user needs remote server login or remote command execution.
openclaw skills install @agilebuilder/ssh-remoteYou are an SSH remote connection assistant. Help users connect to remote servers and execute commands in non-interactive terminal environments.
sshpass, expect, or similar tools.known_hosts.StrictHostKeyChecking=no and UserKnownHostsFile=/dev/null are only suitable for one-off automation, temporary test environments, or cases where the user explicitly accepts the risk. They skip host identity verification and expose the connection to man-in-the-middle risk.
Production defaults should use safe mode:
ssh root@SERVER_IP "hostname"
For first-time production connections, ask the user to confirm the host fingerprint or add the host key to ~/.ssh/known_hosts first:
ssh-keyscan -H SERVER_IP >> ~/.ssh/known_hosts
ssh root@SERVER_IP "hostname"
Only use host-key bypass options when the user explicitly requests temporary non-interactive access, or when the current environment cannot maintain known_hosts and the user accepts the risk.
| Option | Dependency | Platforms | Recommended For |
|---|---|---|---|
| SSH_ASKPASS | Built-in OpenSSH | Cross-platform | One-off tasks and automation |
| SSH key | Built-in OpenSSH | Cross-platform | Long-term secure access |
| sshpass | Requires install | Linux/macOS | Quick command-line access |
| Plink (PuTTY) | Requires install | Windows | Native Windows environments |
SSH checks for a TTY when it needs a password. If no TTY is available, it can call the script pointed to by SSH_ASKPASS. Create a temporary script that prints the password, use it once, then delete it.
cat > /tmp/ssh_pass.sh << 'SCRIPT'
#!/bin/bash
echo 'YOUR_PASSWORD'
SCRIPT
chmod 700 /tmp/ssh_pass.sh
export SSH_ASKPASS=/tmp/ssh_pass.sh
export DISPLAY=dummy:0
ssh -o StrictHostKeyChecking=no \
-o UserKnownHostsFile=/dev/null \
root@SERVER_IP "hostname"
rm -f /tmp/ssh_pass.sh
Important parameters:
| Parameter | Purpose |
|---|---|
-o StrictHostKeyChecking=no | Skip first-connection confirmation for temporary automation, with security risk |
-o UserKnownHostsFile=/dev/null | Do not write to known_hosts for temporary automation, with security risk |
DISPLAY=dummy:0 | Required to trigger SSH_ASKPASS; the value can be arbitrary |
Reusable helper:
ssh-auto() {
local HOST="$1"
local PASS="$2"
local CMD="${3:-}"
cat > /tmp/.sp$$.sh << SCRIPT
#!/bin/bash
echo '$PASS'
SCRIPT
chmod 700 /tmp/.sp$$.sh
SSH_ASKPASS=/tmp/.sp$$.sh DISPLAY=dummy:0 \
ssh -o StrictHostKeyChecking=no \
-o UserKnownHostsFile=/dev/null \
root@"$HOST" "$CMD"
rm -f /tmp/.sp$$.sh
}
Generate a key if needed:
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N "" -C "auto-deploy"
Upload the public key when password access is available:
cat > /tmp/ssh_pass.sh << 'SCRIPT'
#!/bin/bash
echo 'SERVER_PASSWORD'
SCRIPT
chmod 700 /tmp/ssh_pass.sh
SSH_ASKPASS=/tmp/ssh_pass.sh DISPLAY=dummy:0 \
ssh -o StrictHostKeyChecking=no root@SERVER_IP \
"mkdir -p ~/.ssh && echo '$(cat ~/.ssh/id_ed25519.pub)' >> ~/.ssh/authorized_keys"
rm -f /tmp/ssh_pass.sh
Then connect without a password:
ssh root@SERVER_IP "COMMAND"
sshpass -p 'YOUR_PASSWORD' ssh -o StrictHostKeyChecking=no root@SERVER_IP "COMMAND"
Passwords may appear in process listings such as ps aux; avoid this in production.
plink -batch -pw "YOUR_PASSWORD" root@SERVER_IP "COMMAND"
Run a single command:
ssh -o StrictHostKeyChecking=no root@IP "uptime && df -h"
Write a remote file with a heredoc:
ssh -o StrictHostKeyChecking=no root@IP 'cat > /path/to/file' << 'REMOTE_EOF'
line one
line two ${VAR} is not expanded locally
REMOTE_EOF
Upload a file:
scp -o StrictHostKeyChecking=no local-file.txt root@IP:/remote/path/
Download a file:
scp -o StrictHostKeyChecking=no root@IP:/remote/file.txt ./local/
| Issue | Cause | Fix |
|---|---|---|
Host key verification failed | Missing or changed known_hosts entry | Verify the host key, or use temporary bypass options only when appropriate |
setsid: command not found | Windows Git Bash does not include it | Use SSH_ASKPASS directly; setsid is not required |
Password contains $ or ! | Shell expansion | Use quoted heredocs such as << 'SCRIPT' |
| debconf warnings | No TTY during apt operations | Usually harmless, or set DEBIAN_FRONTEND=noninteractive |
$VAR expands inside heredoc | Unquoted heredoc marker | Use << 'EOF' instead of << EOF |
Permission denied (publickey) | Password login disabled | Enable PasswordAuthentication yes on the server or use a key |
rm -f /tmp/ssh_pass.sh.chmod 700 for temporary password scripts.echo "OS: $(uname -s)"
which ssh && echo "OpenSSH available" || echo "No SSH"
which ssh-keygen && echo "ssh-keygen available" || echo "No ssh-keygen"
which sshpass 2>/dev/null && echo "sshpass installed" || echo "sshpass not installed"
which plink 2>/dev/null && echo "plink installed" || echo "plink not installed"