linux – 如何在不需要输入密码的情况下通过ssh解密加密容器,同时需要一些客户端身份验证?
作者:互联网
我通过公钥身份验证登录到服务器,然后挂载容器(使用例如LUKS / dm-crypt或truecrypt).目前,我必须手动输入容器密码.有没有办法保护容器使用例如ssh代理?或者如果直接无法实现,我可以使用ssh公钥加密容器密码(或者更好的密钥文件)并使用ssh代理暂时解密吗?
解决方法:
我使用远程encfs做了类似的事情,我从本地PC存储了备份.也许这会有所帮助.我当时正在使用Ubuntu和gnome-keyring.
dbus_session.sh
#!/bin/bash
# This will grab the appropriate environment variables to connect to the
# gnome-keyring via dbus for the currently logged in user
# shouldn't be necessary if you're running from an xterm in gnome
$(sed 's/^\([^#]\)/export \1/' ~/.dbus/session-bus/*-0 | grep -v ^#)
keyring_helper.py
#!/usr/bin/python
import sys
import keyring
if len(sys.argv) < 5:
print "Usage: keyring_helper.py get|set name server protocol [password]"
sys.exit(1)
k = keyring.Keyring(sys.argv[2], sys.argv[3], sys.argv[4])
if sys.argv[1] == "get":
c = k.get_credentials()
print c[1]
elif sys.argv[1] == "set":
k.set_credentials((sys.argv[2], sys.argv[5]));
backup.sh
#!/bin/bash
. "$(dirname "$0")"/dbus_session.sh
cd /home/mike/misc/scripts
if ssh polaris mountpoint -q ~/mnt/; then
echo 1>&2 Filesystem already mounted.
exit 1
fi
# Take password from gnome-keyring and store in FIFO on polaris
./keyring_helper.py get mike polaris enc_backups 2>/dev/null |ssh polaris 'cat >~/passwd' &
# Mount the encrypted filesystem
ssh polaris 'nice -n 19 encfs -f -i 5 --extpass=cat ~/enc_backups/ ~/mnt/ <~/passwd' &
# Wait for the mount to complete
ssh polaris 'while ! mountpoint -q ~/mnt/; do if [ $((I++)) -gt 15 ]; then exit 1; fi; sleep 1; done'
if [ $? -ne 0 ]; then
echo 1>&2 Mount failed.
exit 2
fi
# Transfer data
rsync -az --delete --bwlimit 45 ~/misc /array/Dropbox/documents /array/pictures polaris:mnt/
# Unmount the encrypted filesystem
ssh polaris fusermount -u mnt
# Wait for child processes to exit
wait
初始设置非常简单,在远程服务器上执行mkfifo passwd和keyring_helper.py设置< name> <服务器> <协议>在桌面上.一旦完成,您的桌面应该将您的密码从密钥环写入fifo,远程truecrypt进程将通过stdin读取它.
标签:linux,ssh,luks,truecrypt,dm-crypt 来源: https://codeday.me/bug/20190812/1642712.html