标签:shell ssh ssh-keys ssh-agent linux
我在应用程序中使用ssh命令运行shell脚本.使用的私钥通过密码短语加密,问题是-当询问时我无法交互传递它.ssh-agent中未添加密钥.我无法执行ssh-add my_key,因为该密码短语应该以交互方式传递.这对终端通信很有用,但在内部应用程序中却不太好用.
手册页显示:
DISPLAY and SSH_ASKPASS
If ssh-add needs a passphrase, it will read the passphrase from the current terminal if it was run from a terminal.
If ssh-add does not have a terminal associated with it but DISPLAY and SSH_ASKPASS are set, it will execute the
program specified by SSH_ASKPASS and open an X11 window to read the passphrase. This is particularly useful when
calling ssh-add from a .xsession or related script. (Note that on some machines it may be necessary to redirect
the input from /dev/null to make this work.)
当我执行SSH_ASKPASS = file_with_passphrase ssh-add my_key时,我仍然要求输入密码,看起来env var在这种情况下只是被忽略了.我尝试执行ssh -o BatchMode = yes,并且服务器只是拒绝了编码密钥,因为没有人能够对其进行解码.
我肯定可以在ssh-agent中使用它之前手动解码ssh密钥,但是看起来我即将从SSH_ASKPASS变量中获得所需的信息,但是我不知道如何使它起作用.很高兴获得社区的帮助.
解决方法:
因此,实际上有些事情对于您要尝试的事情很重要:
>必须设置显示
>它不能与终端关联
>在某些机器上,可能需要从/ dev / null重定向输入(我的就是其中之一).
> SSH_ASKPASS必须包含一个在stdout上输出密码的可执行文件.
因此,举一个使它工作的例子(对我来说,我猜也应该在其他Linux上工作):
创建虚拟密钥:
ssh-keygen -t rsa -C se-so-38354773 -f /tmp/se-so-38354773.key -N 'se-so-38354773-pp'
创建askpass脚本以回显密码文件:
cat > /tmp/se-so-38354773-askpass <<EOF
#!/usr/bin/env bash
echo "${0}:${@} : this is for debugging to see if the echo script runs" 1>&2
echo "se-so-38354773-pp"
EOF
chmod +x /tmp/se-so-38354773-askpass
我将此文件放在/ tmp /中-但这对安全性没有好处,除非您在写入文件之前也更改了该文件的权限以确保其他人都无法读取(或设置umask).
然后,您可以执行ssh-add,如下所示:
DISPLAY=":0.0" SSH_ASKPASS="/tmp/se-so-38354773-askpass" setsid ssh-add /tmp/se-so-38354773.key </dev/null
如果有一个setid,它将与您的终端分离-尽管我的计算机上不需要该setid-但是,是的,我认为在其他情况下可能需要它.
完成测试后,请清理:
ssh-add -d /tmp/se-so-38354773.key
rm /tmp/se-so-38354773*
我的计算机上的示例输出:
iwana@iwana-nb.concurrent.co.za:~/projects/gitlab.com/aucampia/stackexchange/stackoverflow/38354773
$ssh-keygen -t rsa -C se-so-38354773 -f /tmp/se-so-38354773.key -N 'se-so-38354773-pp'
Generating public/private rsa key pair.
Your identification has been saved in /tmp/se-so-38354773.key.
Your public key has been saved in /tmp/se-so-38354773.key.pub.
The key fingerprint is:
SHA256:s+jVUPEyb2DzRM5y+Hm3XDzVRREKn5yU2d0hk61hIQ0 se-so-38354773
The key's randomart image is:
+---[RSA 2048]----+
| .E+=B=O|
| B*B*o=|
| X B*o o|
| o % o ..|
| S * ..+|
| . = . ...+|
| . o . o |
| . . |
| . |
+----[SHA256]-----+
iwana@iwana-nb.concurrent.co.za:~/projects/gitlab.com/aucampia/stackexchange/stackoverflow/38354773
$
iwana@iwana-nb.concurrent.co.za:~/projects/gitlab.com/aucampia/stackexchange/stackoverflow/38354773
$cat > /tmp/se-so-38354773-askpass <<EOF
> #!/usr/bin/env bash
> echo "${0}:${@} : this is for debugging to see if the echo script runs" 1>&2
> echo "se-so-38354773-pp"
> EOF
iwana@iwana-nb.concurrent.co.za:~/projects/gitlab.com/aucampia/stackexchange/stackoverflow/38354773
$chmod +x /tmp/se-so-38354773-askpass
iwana@iwana-nb.concurrent.co.za:~/projects/gitlab.com/aucampia/stackexchange/stackoverflow/38354773
$
iwana@iwana-nb.concurrent.co.za:~/projects/gitlab.com/aucampia/stackexchange/stackoverflow/38354773
$DISPLAY=":0.0" SSH_ASKPASS="/tmp/se-so-38354773-askpass" setsid ssh-add /tmp/se-so-38354773.key </dev/null
iwana@iwana-nb.concurrent.co.za:~/projects/gitlab.com/aucampia/stackexchange/stackoverflow/38354773
$
bash: : this is for debugging to see if the echo script runs
Identity added: /tmp/se-so-38354773.key (/tmp/se-so-38354773.key)
iwana@iwana-nb.concurrent.co.za:~/projects/gitlab.com/aucampia/stackexchange/stackoverflow/38354773
$ssh-add -d /tmp/se-so-38354773.key
Identity removed: /tmp/se-so-38354773.key (se-so-38354773)
iwana@iwana-nb.concurrent.co.za:~/projects/gitlab.com/aucampia/stackexchange/stackoverflow/38354773
$rm /tmp/se-so-38354773*
标签:shell,ssh,ssh-keys,ssh-agent,linux 来源: https://codeday.me/bug/20191118/2027999.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。