使用变量的值作为密码SCP，SSH等，而不是提示每次用户输入 [英] Using a variable's value as password for scp, ssh etc. instead of prompting for user input every time

问题描述

据我所知， SSH 或 SCP 没有命令/取密码参数。否则，我可以在一个shell变量保持密码并可能摆脱输入密码提示。如果我在shell脚本编写一个scp命令，它会提示用户输入密码。我有我的剧本多ssh和scp命令，我不希望用户输入密码每次。我想preFER（通过询问密码一次）保存在开始一个shell变量的密码，然后用它为每一个ssh或scp。

AFAIK, the commands ssh or scp do not have/take a password parameter. Otherwise I could keep the password in a shell variable and probably get rid of the enter password prompt. If I write an scp command in my shell script, it prompts the user to input the password. I have multiple ssh and scp commands in my script and I do not want the user to enter the password every time. I would prefer to save the password in a shell variable in the beginning (by asking password once), then use it for every ssh or scp.

我这个问题 。这是否与我在寻找解决方案？

I read about "public key identification" in this question. Is it related to the solution I am looking for?

更新结果
我读<一个href=\"http://stackoverflow.com/questions/3938763/how-to-use-ssh-command-in-shell-script/3938775#3938775\">How在shell脚本中使用ssh命令？的原因是不安全的在命令行指定密码。是否使用期望中还存放了密码，是全球可见的（使用的ps aux ）？这是一个通过安全问题期望？

Update
I read in How to use ssh command in shell script? why it is unsafe to specify passwords on the commandline. Does using expect also store the password and is world visible (using ps aux)? Is that the security issue with using expect?

新解结果
为了进一步讲清楚，我写这个shell脚本来自动code和数据库的备份，做code上传，运行必要的数据库查询，尽一切都需要的<一个新版本发布的事情HREF =htt​​p://en.wikipedia.org/wiki/LAMP_%28software_bundle%29>从开发系统LAMP项目到远程实时服务器。我的shell脚本会在那里的每一个开发实例项目的主要codeBase的内部。

Further Explanation
To further make it clear, I am writing this shell script to automate code and database backup, do code upload, run necessary database queries, do all the things that are needed for a new version release of a LAMP project from a developer system to a remote live server. My shell script will be there inside the main codebase of the project in every developer instance.

要求

• 我想所有的开发人员（全部可以从不同的远程系统中工作）知道SSH / FTP密码，它能够通过仅在运行时进入SSH / FTP密码相同，一旦使用shell。我想preFER密码是SSH / FTP密码

• I want all developers (all may be working from different remote systems) knowing the SSH/FTP password to be able to use the shell by entering the ssh/ftp password same only at run-time once. I would prefer the password to be the ssh/ftp password

注意 - 我不希望其他开发商谁不知道SSH密码才能使用它（我猜公钥验证不会工作，因为它存储密码的系统）。

Note - I do not want other developers who don't know the SSH password to be able to use it (So I guess public key authentication will not work because it stores the passwords in the systems).

我不希望这在一些日志存储密码的系统，可以使用的ps aux或东西是世界上可见的任何命令行的解决方案。

I do not want any command line solution which stores the password in some log in the system and can be world visible using ps aux or something.

打开赏金结果
从迄今为止所有的答案，我的这些解决方案anaylsis，看起来比公钥认证之外的所有其他都是不安全的。我还不知道，如果使用期望是不安全的。我认为这是对，否则我正确的解决方案。在这种情况下，我得到命令没有找到错误，同时尝试这样做，因为已经评论了其中一个答案。

Opening Bounty
From all the answers so far and my anaylsis of those solutions, it looks like other than public key authentication all others are insecure. I am not yet sure if using expect is insecure. I think it is otherwise the correct solution for me. In that case, I am getting command not found errors while trying to do that as already commented on one of the answers.

从<一个href=\"http://www.debianadmin.com/sshpass-non-interactive-ssh-password-authentication.html\">http://www.debianadmin.com/sshpass-non-interactive-ssh-password-authentication.html -

首先，sshpass的用户
  应该认识到，SSH的坚持
  只有获得密码
  交互不是没有原因的。
  这是接近不可能
  安全地存储密码和用户
  sshpass应该考虑是否
  SSH的公共密钥认证
  提供相同的最终用户体验，
  而涉及少些麻烦和被
  更安全。

First and foremost, users of sshpass should realize that ssh’s insistance on only getting the password interactively is not without reason. It is close to be impossible to securely store the password, and users of sshpass should consider whether ssh’s public key authentication provides the same end-user experience, while involving less hassle and being more secure.

那么，是不是不能安全地运行多个SSH，SCP命令通过在运行时输入SSH / FTP密码（如果只有一次？请再次阅读我的需求部分。

So, is it not possible to securely run multiple ssh, scp commands by entering the ssh/ftp password (if only once at runtime? Please read my Requirement section again.

此外，任何人都可以解释这一点 -

Also, can anyone explain this -

在特别的人写程序
  其满足是为了
  通信上述各点）的密码
  编程鼓励使用
  匿名管道，并通过管道的
  阅读结束sshpass使用-d
  选项​​。

In particular, people writing programs that satisfies are meant to communicate the above points)password programatically are encouraged to use an anonymous pipe and pass the pipe’s reading end to sshpass using the -d option.

这是否意味着一切皆有可能？

Does this mean anything is possible?

推荐答案

事实上，你肯定会想看看设置SSH密钥，比bash脚本保存密码。如果密钥密码的，则没有用户输入将被要求SSH / SCP。你只需将其设置为使用两端的关键，瞧，安全的通信。

Indeed, you'll definitely want to look into setting up ssh keys, over saving a password in a bash script. If the key is passwordless, then no user input will be required to ssh/scp. You just set it up to use the key on both ends and voila, secured communication.

不过，我会得到downvoted地狱，如果我不说这个。许多人认为密码的ssh键是一个坏主意（TM）。如果有人得到了他们手中的钥匙，将有充分的机会。这意味着，你是靠其他安全措施，如文件的权限，让您的密码安全。

However, I'll get downvoted to hell if I don't say this. Many consider passwordless ssh keys to be a Bad Idea(TM). If anybody gets their hands on the keys, the have full access. This means that you are relying on other security measures such as file permissions to keep your password safe.

此外，考虑的ssh-agent。它可以让你设定，让你有密码保护的SSH密钥，但你只需要输入一次，它会为你的密钥管理密码，并在必要时使用它。在家里我的Linux中，我的ssh-agent建立在我的.xinitrc文件运行，所以它提示我，然后开始X.情况因人而异。

Also, look into ssh-agent. It allows you to set it up so that you have a password protected ssh-key, but you only need to type it in once and it will manage the password for the key for you and use it when necessary. On my linux box at home, I have ssh-agent set up to run in my .xinitrc file so that it prompts me once and then starts X. YMMV.

更新：结果
至于你的要求，密码保护的公钥验证和ssh-agent似乎仍然适合。只有开发商枢密院的SSH / FTP密码，可以启动的ssh-agent，键入密码和ssh代理将管理的公共密钥密码用于会话的其余部分，不会再要求互动。

UPDATE:
With regards to your requirements, password protected public key authentication + ssh-agent still seems to fit. Only the developers privy to the SSH/FTP password could start up ssh-agent, type in the password and ssh-agent would manage the passwords for the public keys for the rest of the session, never requiring interaction again.

当然，它如何存储它完全是另一回事。 IANASE，但对于使用ssh-剂的安全问题的详细信息，我发现赛门铁克的文章是pretty信息：的 http://www.symantec.com/connect/articles/ssh-and-ssh-agent

Of course, how it stores it is another matter entirely. IANASE, but for more information on security concerns of using ssh-agent, I found symantec's article to be pretty informative: http://www.symantec.com/connect/articles/ssh-and-ssh-agent

中的ssh-agent创建一个Unix域
  插座，然后监听
  从/ usr / bin中/ SSH这个连接
  插座。它依赖于简单的UNIX
  权限prevent上网本
  插座，这意味着任何键，你
  把你的代理人提供给
  任何人谁可以连接到此插座。
  [即。根]...

"The ssh-agent creates a unix domain socket, and then listens for connections from /usr/bin/ssh on this socket. It relies on simple unix permissions to prevent access to this socket, which means that any keys you put into your agent are available to anyone who can connect to this socket. [ie. root]" ...

，然而，[..]它们仅可用
  而代理正在运行 - 根
  可以使用您的代理认证
  您的帐户上的其他系统，但
  它不提供直接访问
  密钥本身。这意味着
  按键不能采取关闭
  机从其他地方使用
  无止境。

"however, [..] they are only usable while the agent is running -- root could use your agent to authenticate to your accounts on other systems, but it doesn't provide direct access to the keys themselves. This means that the keys can't be taken off the machine and used from other locations indefinitely."

但愿你不是在你试图使用一个不受信任的根的情况的制度。

Hopefully you're not in a situation where you're trying to use an untrusted root's system.

这篇关于使用变量的值作为密码SCP，SSH等，而不是提示每次用户输入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！