暂时删除shell脚本中的ssh私钥密码 [英] Temporarily remove the ssh private key password in a shell scriptI
问题描述
我需要将一些文件从服务器A部署到服务器B.我通过SSH连接到服务器A,然后使用存储在服务器A上的私有密钥通过ssh通过SSH连接到服务器B,该私有密钥驻留在服务器A上.在服务器B的authorized_keys文件中.从A到B的连接发生在驻留在服务器A上的Bash Shell脚本中.
I am required to deploy some files from server A to server B. I connect to server A via SSH and from there, connect via ssh to server B, using a private key stored on server A, the public key of which resides in server B's authorized_keys file. The connection from A to B happens within a Bash shell script that resides on server A.
这一切都很好,很好,很简单,直到有安全意识的管理员指出我存储在服务器A上的SSH私钥没有密码保护,因此任何可以想像地侵入我在服务器A上的帐户的人都将拥有访问服务器B以及C,D,E,F和G.我想他有一点.
This all works fine, nice and simple, until a security-conscious admin pointed out that my SSH private key stored on server A is not passphrase protected, so that anyone who might conceivably hack into my account on server A would also have access to server B, as well as C, D, E, F, and G. He has a point, I guess.
他建议一个复杂的场景,在这种情况下,我将添加一个密码短语,然后修改我的shell脚本,以在要调用的开头添加一行
He suggests a complicated scenario under which I would add a passphrase, then modify my shell script to add a a line at the beginning in which I would call
ssh-keygen -p -f {private key file}
用密码短语回答我的旧密码短语的提示,(两个)提示我的新密码短语,只需返回就可以删除密码短语,最后在我的scp命令之后呼叫
answer the prompt for my old passphrase with the passphrase and the (two) prompts for my new passphrasw with just return which gets rid of the passphrase, and then at the end, after my scp command calling
ssh-keygen -p -f {private key file}
再次,将密码短语放回
我对它说"Yecch!".
To which I say "Yecch!".
首先,我可以通过阅读脚本中的密码短语ONCE来改善这一点
Well I can improve that a little by first reading the passphrase ONCE in the script with
read -s PASS_PHRASE
然后根据需要使用ssh-keygen的-N和-P参数提供它.
then supplying it as needed using the -N and -P parameters of ssh-keygen.
几乎可以使用,但是我讨厌shell脚本中的交互式提示.我想将其归结为一个交互式提示,但杀死我的部分是我必须按两次Enter键才能删除密码的部分
It's almost usable, but I hate interactive prompts in shell scripts. I'd like to get this down to one interactive prompt, but the part that's killing me is the part where I have to press enter twice to get rid of the passphrase
这可从命令行使用:
ssh-keygen -p -f {private key file} -P {pass phrase} -N ''
,但不是来自Shell脚本.在那里,看来我必须删除-N参数并接受键入两个返回值的需要.
but not from the shell script. There, it seems I must remove the -N parameter and accept the need to type two returns.
那是我所能做的最好的.任何人都可以改善这一点吗?还是有更好的方法来解决这个问题?我不敢相信没有.
That is the best I am able to do. Can anyone improve this? Or is there a better way to handle this? I can't believe there isn't.
最好的方法是安全地处理此问题,而无需键入密码,但这可能要求太多.我会为每次脚本调用解决一次.
Best would be some way of handling this securely without ever having to type in the passphrase but that may be asking too much. I would settle for once per script invocation.
这是整个脚本的简化版本,呈骨架形式
Here is a simplified version the whole script in skeleton form
#! /bin/sh
KEYFILE=$HOME/.ssh/id_dsa
PASSPHRASE=''
unset_passphrase() {
# params
# oldpassword keyfile
echo "unset_key_password()"
cmd="ssh-keygen -p -P $1 -N '' -f $2"
echo "$cmd"
$cmd
echo
}
reset_passphrase() {
# params
# oldpassword keyfile
echo "reset_key_password()"
cmd="ssh-keygen -p -N '$1' -f $2"
echo "$cmd"
$cmd
echo
}
echo "Enter passphrase:"
read -s PASSPHRASE
unset_passphrase $PASSPHRASE $KEYFILE
# do something with ssh
reset_passphrase $PASSPHRASE $KEYFILE
推荐答案
签出ssh-agent.它缓存密码短语,因此无论您有多少会话,都可以在一定时期内使用密钥文件.
Check out ssh-agent. It caches the passphrase so you can use the keyfile during a certain period regardless of how many sessions you have.
这篇关于暂时删除shell脚本中的ssh私钥密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
