使用变量的值作为 scp、ssh 等的密码,而不是每次都提示用户输入 [英] Using a variable's value as password for scp, ssh etc. instead of prompting for user input every time
问题描述
AFAIK,命令 ssh 或 scp 没有/采用密码参数.否则我可以将密码保存在 shell 变量中,并且可能会摆脱输入密码提示.如果我在 shell 脚本中编写 scp 命令,它会提示用户输入密码.我的脚本中有多个 ssh 和 scp 命令,我不希望用户每次都输入密码.我更愿意在开始时将密码保存在 shell 变量中(通过询问密码一次),然后将它用于每个 ssh 或 scp.
AFAIK, the commands ssh or scp do not have/take a password parameter. Otherwise I could keep the password in a shell variable and probably get rid of the enter password prompt. If I write an scp command in my shell script, it prompts the user to input the password. I have multiple ssh and scp commands in my script and I do not want the user to enter the password every time. I would prefer to save the password in a shell variable in the beginning (by asking password once), then use it for every ssh or scp.
我在这个问题中读到了公钥识别".是否与我正在寻找的解决方案有关?
I read about "public key identification" in this question. Is it related to the solution I am looking for?
更新
我阅读了 如何在 shell 脚本中使用 ssh 命令? 为什么在命令行上指定密码是不安全的.使用 expect 是否也存储密码并且是世界可见的(使用 ps aux)?这是使用 expect 的安全问题吗?
Update
I read in How to use ssh command in shell script? why it is unsafe to specify passwords on the commandline. Does using expect also store the password and is world visible (using ps aux)? Is that the security issue with using expect?
进一步说明
为了进一步说明,我正在编写这个 shell 脚本来自动执行代码和数据库备份、上传代码、运行必要的数据库查询、执行 LAMP 项目从开发人员系统到远程实时服务器.我的 shell 脚本将存在于每个开发人员实例中项目的主代码库中.
Further Explanation
To further make it clear, I am writing this shell script to automate code and database backup, do code upload, run necessary database queries, do all the things that are needed for a new version release of a LAMP project from a developer system to a remote live server. My shell script will be there inside the main codebase of the project in every developer instance.
要求
我希望所有知道 SSH/FTP 密码的开发人员(所有开发人员都可能在不同的远程系统上工作)能够通过仅在运行时输入相同的 ssh/ftp 密码来使用 shell.我希望密码是 ssh/ftp 密码
I want all developers (all may be working from different remote systems) knowing the SSH/FTP password to be able to use the shell by entering the ssh/ftp password same only at run-time once. I would prefer the password to be the ssh/ftp password
注意 - 我不希望其他不知道 SSH 密码的开发人员能够使用它(所以我猜公钥身份验证不起作用,因为它将密码存储在系统中).
Note - I do not want other developers who don't know the SSH password to be able to use it (So I guess public key authentication will not work because it stores the passwords in the systems).
开放赏金
从迄今为止的所有答案以及我对这些解决方案的分析来看,除了公钥身份验证之外,其他所有解决方案似乎都不安全.我还不确定使用 expect 是否不安全.我认为这对我来说是正确的解决方案.在这种情况下,我在尝试执行此操作时收到命令未找到错误,正如已经对其中一个答案进行了评论.
Opening Bounty
From all the answers so far and my anaylsis of those solutions, it looks like other than public key authentication all others are insecure. I am not yet sure if using expect is insecure. I think it is otherwise the correct solution for me. In that case, I am getting command not found errors while trying to do that as already commented on one of the answers.
来自 http://www.debianadmin.com/sshpass-non-interactive-ssh-password-authentication.html -
首先是 sshpass 的用户应该意识到ssh的坚持只获取密码互动不是没有道理的.几乎不可能安全地存储密码和用户sshpass的应该考虑是否ssh 的公钥认证提供相同的最终用户体验,同时涉及较少的麻烦和更安全.
First and foremost, users of sshpass should realize that ssh’s insistance on only getting the password interactively is not without reason. It is close to be impossible to securely store the password, and users of sshpass should consider whether ssh’s public key authentication provides the same end-user experience, while involving less hassle and being more secure.
那么,是否不能通过输入 ssh/ftp 密码安全地运行多个 ssh、scp 命令(如果只在运行时一次?请再次阅读我的要求部分.
So, is it not possible to securely run multiple ssh, scp commands by entering the ssh/ftp password (if only once at runtime? Please read my Requirement section again.
另外,谁能解释一下 -
Also, can anyone explain this -
特别是编写程序的人满足的意思是沟通以上几点)密码鼓励以编程方式使用匿名管道并传递管道的使用 -d 读取结束到 sshpass选项.
In particular, people writing programs that satisfies are meant to communicate the above points)password programatically are encouraged to use an anonymous pipe and pass the pipe’s reading end to sshpass using the -d option.
这是否意味着一切皆有可能?
Does this mean anything is possible?
推荐答案
事实上,您肯定希望研究设置 ssh 密钥,而不是在 bash 脚本中保存密码.如果密钥是无密码的,则 ssh/scp 不需要用户输入.您只需将其设置为在两端都使用密钥,瞧,安全通信.
Indeed, you'll definitely want to look into setting up ssh keys, over saving a password in a bash script. If the key is passwordless, then no user input will be required to ssh/scp. You just set it up to use the key on both ends and voila, secured communication.
但是,如果我不说这个,我会被贬低.许多人认为无密码 ssh 密钥是一个坏主意(TM).如果有人拿到钥匙,他们就可以完全访问.这意味着您正在依赖其他安全措施(例如文件权限)来确保您的密码安全.
However, I'll get downvoted to hell if I don't say this. Many consider passwordless ssh keys to be a Bad Idea(TM). If anybody gets their hands on the keys, the have full access. This means that you are relying on other security measures such as file permissions to keep your password safe.
另外,查看 ssh-agent.它允许您设置它以便您拥有受密码保护的 ssh 密钥,但您只需输入一次,它就会为您管理密钥的密码并在必要时使用它.在我家里的 linux 机器上,我将 ssh-agent 设置为在我的 .xinitrc 文件中运行,以便它提示我一次然后启动 X. YMMV.
Also, look into ssh-agent. It allows you to set it up so that you have a password protected ssh-key, but you only need to type it in once and it will manage the password for the key for you and use it when necessary. On my linux box at home, I have ssh-agent set up to run in my .xinitrc file so that it prompts me once and then starts X. YMMV.
更新:
关于您的要求,受密码保护的公钥身份验证 + ssh-agent 似乎仍然适合.只有知道 SSH/FTP 密码的开发人员才能启动 ssh-agent,输入密码,然后 ssh-agent 将管理剩余会话的公钥密码,不再需要交互.
UPDATE:
With regards to your requirements, password protected public key authentication + ssh-agent still seems to fit. Only the developers privy to the SSH/FTP password could start up ssh-agent, type in the password and ssh-agent would manage the passwords for the public keys for the rest of the session, never requiring interaction again.
当然,它如何存储它完全是另一回事.IANASE,但有关使用 ssh-agent 的安全问题的更多信息,我发现 symantec 的文章非常有用:http://www.symantec.com/connect/articles/ssh-and-ssh-agent
Of course, how it stores it is another matter entirely. IANASE, but for more information on security concerns of using ssh-agent, I found symantec's article to be pretty informative: http://www.symantec.com/connect/articles/ssh-and-ssh-agent
"ssh-agent 创建了一个 unix 域socket,然后监听来自/usr/bin/ssh 的连接插座.它依赖于简单的unix阻止访问此权限的权限套接字,这意味着您可以使用任何键放入您的代理可用于任何可以连接到此套接字的人.[IE.根]" ...
"The ssh-agent creates a unix domain socket, and then listens for connections from /usr/bin/ssh on this socket. It relies on simple unix permissions to prevent access to this socket, which means that any keys you put into your agent are available to anyone who can connect to this socket. [ie. root]" ...
"然而,[..] 它们只能使用当代理运行时——root可以使用您的代理进行身份验证到您在其他系统上的帐户,但它不提供直接访问钥匙本身.这意味着钥匙取不下来机器并从其他地方使用无限期."
"however, [..] they are only usable while the agent is running -- root could use your agent to authenticate to your accounts on other systems, but it doesn't provide direct access to the keys themselves. This means that the keys can't be taken off the machine and used from other locations indefinitely."
希望您不会尝试使用不受信任的 root 系统.
Hopefully you're not in a situation where you're trying to use an untrusted root's system.
这篇关于使用变量的值作为 scp、ssh 等的密码,而不是每次都提示用户输入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
