我编写了一个batch用于配置开发服务器的脚本:
@echo off
set mode=development
set ssh_port=22
set secure_ssh_port=4096
if "%mode%" == "development" (
@REM Spin up a new vagrant box
vagrant destroy -f && vagrant up
@REM Copy scripts to server
scp -P %ssh_port% -F ssh_config -r scripts/* dev:/tmp
@REM Enable SSH variables
ssh -p %ssh_port% -F ssh_config dev "sudo bash /tmp/_enable-ssh-vars.sh"
setlocal EnableDelayedExpansion
for /f %%i in ('dir /b "scripts\*.sh"') do (
set x=%%i
if not "!x:~0,1!" == "_" (
ssh -p %ssh_port% -F ssh_config dev "sudo bash /tmp/!x!"
set /p _ignore=Press any key to continue ...
)
)
endlocal
@REM Activate the firewall
ssh -p %ssh_port% -F ssh_config dev "sudo awall activate --force"
@REM Cleanup
ssh -p %secure_ssh_port% -F ssh_config dev "sudo rm -rf /tmp/*.sh && sudo cat /dev/null > ~/.bash_history && exit"
) else (
echo "Not implemented"
)
我的问题是,在我运行脚本以启用通过 SSH 传递变量后,我无法访问其中一个变量并收到错误:/tmp/1-mkuser.sh: line 20: LC_SSH_PUB_KEY: unbound variable
以下是内容1-mkuser.sh:
#!/usr/bin/env bash
# Script to setup new user and add key to authorized keys
set -o errexit
set -o pipefail
set -o nounset
# set -o xtrace
# Create unprivilaged user ####################################################
adduser --disabled-password "${LC_UNPRIV_USER}"
# Add public key to authorized keys ###########################################
key_path="/home/${LC_UNPRIV_USER}/.ssh"
mkdir -p "${key_path}"
echo "${LC_SSH_PUB_KEY}" > "${key_path}/authorized_keys"
chmod 700 "${key_path}"
chmod 600 "${key_path}/authorized_keys"
我没有收到任何错误LC_UNPRIV_USER,所以我认为只是LC_SSH_PUB_KEY变量导致了问题?
如果我登录到该框并检查是否LC_SSH_PUB_KEY已设置,则它是(使用和不使用 sudo 进行测试)。我使用以下方式登录:
ssh -p 22 -F ssh_config dev
并检查LC_SSH_PUB_KEY回报...
alpine313:~$ sudo echo ${LC_SSH_PUB_KEY}
ssh-rsa AAAAB3NzbC1yc2EAAAADAQABAAACAQDbr/x2DTynUcDtbWfPVG5Mg1E1rDe8gB3gQUSsxSwqo6AMjucx6WoJgDY3exFDEFlUqDi2rOpZkT5lhBS0nXRDDJGgm595nZc2Vwq/QQmKMjJ893jTVi4/aQcG0FWOYxrkXka6SR9dl/R6rmWzGanzIEy55I+kwF0eXOMPPjT9sn5F1lN+cVzXcwrbYovBUKAwzAmpXlYSolxjyjcIadVWbxSP9Sh9IFwQIdDLC0wxqtkLC6x0LTWoKglLBOjS3MHKf7CTvXezVb8Ggh1Uotf5QWuqfYjZq5VEqaX6CBtkAi6qL/2sAI9YspSXWkna7WaWVOjvCyOfq3iU3KIpeYbZmlPvjwsr7LNsRW1byerL5yWwfh9YjT6PcP0rloyJo43W347I0kn8hfK9myU2pe3wBbbpEw/0gFduo1O+U15DLEvytzXDib1ICiKsLJnxvKD0YaKc/r8DZz0Qiw6e6xuxFRoRDJiWxrAx5SBdsQ7GbpNhJ7tLP7hQbLJvc6fcXm3iS0J0eqFODJFTTaXM4Zi6CiMb3GNzDLHw6xadP11AQV2mPoLLEM4MhcTmwUuz4pbilEaXYcfNBcmtBOH2zb49hr5d1q1fnDirc8cd6N7B0B+hjw7d2y6diuEGi2OHZfO0YPL726oAeuCDeJSQdBTLXlUSDuf9NqKpthnuD7eo5Q==
笔记:这是用于演示目的的虚拟密钥。
这是我的ssh_config客户端:
Host dev
HostName dev.local
User vagrant
IdentityFile .vagrant/machines/default/virtualbox/private_key
SetEnv LC_MODE=development LC_DOMAIN=dev.local LC_IFACE=eth1 LC_SSH_PORT=4096 LC_UNPRIV_USER=deploy LC_SSH_PUB_KEY="ssh-rsa AAAAB3..."
Host prod-root
HostName production-machine.com
User root
IdentityFile keys/toor
Host prod
HostName production-machine.com
User deploy
IdentityFile keys/deploy
Host *
Port 4096
Compression yes
LogLevel INFO
以下是内容_enable-ssh-vars.sh:
#!/usr/bin/env bash
set -o errexit
set -o pipefail
set -o nounset
# set -o xtrace
echo "AcceptEnv LC_*" >> /etc/ssh/sshd_config
rc-service sshd restart
知道哪里出了问题吗?
编辑在这种情况下,可以安全地附加到sshd_config。我有一个脚本,它在配置循环中复制自定义强化版本sshd_config。我首先调用脚本来允许LC_*变量,这样我就有可用于配置脚本的变量。
sshd_config附加后原文如下AcceptEnv...:
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/bin:/usr/bin:/sbin:/usr/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
#AllowAgentForwarding yes
# Feel free to re-enable these if your use case requires them.
GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# PermitTTY no
# ForceCommand cvs server
PasswordAuthentication yes
PermitRootLogin yes
UseDNS no
AllowTcpForwarding yes
AcceptEnv LANG LC_*
答案1
首先,最好将环境变量存储在主机的环境中,并通过SendEnv LC_*SSH 传递这些变量。
但这里的实际问题是LC_SSH_PUB_KEY变量的长度太长。我不确定变量的限制是SetEnv多少SendEnv。
scp与将公钥内容存储在变量中相比,获取公钥并移动它也更容易。