系统相关
首页 > 系统相关> > linux-通过环境变量提供ssh密钥密码

linux-通过环境变量提供ssh密钥密码

作者:互联网

我在应用程序中使用ssh命令运行shell脚本.使用的私钥通过密码短语加密,问题是-当询问时我无法交互传递它.ssh-agent中未添加密钥.我无法执行ssh-add my_key,因为该密码短语应该以交互方式传递.这对终端通信很有用,但在内部应用程序中却不太好用.

手册页显示:

DISPLAY and SSH_ASKPASS

If ssh-add needs a passphrase, it will read the passphrase from the current terminal if it was run from a terminal.
If ssh-add does not have a terminal associated with it but DISPLAY and SSH_ASKPASS are set, it will execute the
program specified by SSH_ASKPASS and open an X11 window to read the passphrase. This is particularly useful when
calling ssh-add from a .xsession or related script. (Note that on some machines it may be necessary to redirect
the input from /dev/null to make this work.)

当我执行SSH_ASKPASS = file_with_passphrase ssh-add my_key时,我仍然要求输入密码,看起来env var在这种情况下只是被忽略了.我尝试执行ssh -o BatchMode = yes,并且服务器只是拒绝了编码密钥,因为没有人能够对其进行解码.

我肯定可以在ssh-agent中使用它之前手动解码ssh密钥,但是看起来我即将从SSH_ASKPASS变量中获得所需的信息,但是我不知道如何使它起作用.很高兴获得社区的帮助.

解决方法:

因此,实际上有些事情对于您要尝试的事情很重要:

>必须设置显示
>它不能与终端关联
>在某些机器上,可能需要从/ dev / null重定向输入(我的就是其中之一).
> SSH_ASKPASS必须包含一个在stdout上输出密码的可执行文件.

因此,举一个使它工作的例子(对我来说,我猜也应该在其他Linux上工作):

创建虚拟密钥:

ssh-keygen -t rsa -C se-so-38354773 -f /tmp/se-so-38354773.key -N 'se-so-38354773-pp'

创建askpass脚本以回显密码文件:

cat > /tmp/se-so-38354773-askpass <<EOF
#!/usr/bin/env bash
echo "${0}:${@} : this is for debugging to see if the echo script runs" 1>&2
echo "se-so-38354773-pp"
EOF
chmod +x /tmp/se-so-38354773-askpass

我将此文件放在/ tmp /中-但这对安全性没有好处,除非您在写入文件之前也更改了该文件的权限以确保其他人都无法读取(或设置umask).

然后,您可以执行ssh-add,如下所示:

DISPLAY=":0.0" SSH_ASKPASS="/tmp/se-so-38354773-askpass" setsid ssh-add /tmp/se-so-38354773.key </dev/null

如果有一个setid,它将与您的终端分离-尽管我的计算机上不需要该setid-但是,是的,我认为在其他情况下可能需要它.

完成测试后,请清理:

ssh-add -d /tmp/se-so-38354773.key
rm /tmp/se-so-38354773*

我的计算机上的示例输出:

iwana@iwana-nb.concurrent.co.za:~/projects/gitlab.com/aucampia/stackexchange/stackoverflow/38354773
$ssh-keygen -t rsa -C se-so-38354773 -f /tmp/se-so-38354773.key -N 'se-so-38354773-pp'
Generating public/private rsa key pair.
Your identification has been saved in /tmp/se-so-38354773.key.
Your public key has been saved in /tmp/se-so-38354773.key.pub.
The key fingerprint is:
SHA256:s+jVUPEyb2DzRM5y+Hm3XDzVRREKn5yU2d0hk61hIQ0 se-so-38354773
The key's randomart image is:
+---[RSA 2048]----+
|          .E+=B=O|
|           B*B*o=|
|          X B*o o|
|         o % o ..|
|        S   * ..+|
|       . = . ...+|
|      . o .    o |
|     . .         |
|      .          |
+----[SHA256]-----+
iwana@iwana-nb.concurrent.co.za:~/projects/gitlab.com/aucampia/stackexchange/stackoverflow/38354773
$
iwana@iwana-nb.concurrent.co.za:~/projects/gitlab.com/aucampia/stackexchange/stackoverflow/38354773
$cat > /tmp/se-so-38354773-askpass <<EOF
> #!/usr/bin/env bash
> echo "${0}:${@} : this is for debugging to see if the echo script runs" 1>&2
> echo "se-so-38354773-pp"
> EOF
iwana@iwana-nb.concurrent.co.za:~/projects/gitlab.com/aucampia/stackexchange/stackoverflow/38354773
$chmod +x /tmp/se-so-38354773-askpass
iwana@iwana-nb.concurrent.co.za:~/projects/gitlab.com/aucampia/stackexchange/stackoverflow/38354773
$
iwana@iwana-nb.concurrent.co.za:~/projects/gitlab.com/aucampia/stackexchange/stackoverflow/38354773
$DISPLAY=":0.0" SSH_ASKPASS="/tmp/se-so-38354773-askpass" setsid ssh-add /tmp/se-so-38354773.key </dev/null
iwana@iwana-nb.concurrent.co.za:~/projects/gitlab.com/aucampia/stackexchange/stackoverflow/38354773
$
bash: : this is for debugging to see if the echo script runs
Identity added: /tmp/se-so-38354773.key (/tmp/se-so-38354773.key)
iwana@iwana-nb.concurrent.co.za:~/projects/gitlab.com/aucampia/stackexchange/stackoverflow/38354773
$ssh-add -d /tmp/se-so-38354773.key
Identity removed: /tmp/se-so-38354773.key (se-so-38354773)
iwana@iwana-nb.concurrent.co.za:~/projects/gitlab.com/aucampia/stackexchange/stackoverflow/38354773
$rm /tmp/se-so-38354773*

标签:shell,ssh,ssh-keys,ssh-agent,linux
来源: https://codeday.me/bug/20191118/2027999.html