无法访问 ssh_config 中设置的某些环境变量

无法访问 ssh_config 中设置的某些环境变量

我编写了一个batch用于配置开发服务器的脚本:

@echo off

set mode=development
set ssh_port=22
set secure_ssh_port=4096

if "%mode%" == "development" (
    
    @REM Spin up a new vagrant box
    vagrant destroy -f && vagrant up

    @REM Copy scripts to server
    scp -P %ssh_port% -F ssh_config -r scripts/* dev:/tmp

    @REM Enable SSH variables
    ssh -p %ssh_port% -F ssh_config dev "sudo bash /tmp/_enable-ssh-vars.sh"

    setlocal EnableDelayedExpansion
    for /f %%i in ('dir /b "scripts\*.sh"') do (
       set x=%%i
       if not "!x:~0,1!" == "_" (
          ssh -p %ssh_port% -F ssh_config dev "sudo bash /tmp/!x!"
          set /p _ignore=Press any key to continue ...
       )
    )
    endlocal
    
    @REM Activate the firewall
    ssh -p %ssh_port% -F ssh_config dev "sudo awall activate --force"
    
    @REM Cleanup
    ssh -p %secure_ssh_port% -F ssh_config dev "sudo rm -rf /tmp/*.sh && sudo cat /dev/null > ~/.bash_history && exit"
) else (
   echo "Not implemented"
)

我的问题是,在我运行脚本以启用通过 SSH 传递变量后,我无法访问其中一个变量并收到错误:/tmp/1-mkuser.sh: line 20: LC_SSH_PUB_KEY: unbound variable

以下是内容1-mkuser.sh

#!/usr/bin/env bash
# Script to setup new user and add key to authorized keys

set -o errexit
set -o pipefail
set -o nounset
# set -o xtrace

# Create unprivilaged user ####################################################

adduser --disabled-password "${LC_UNPRIV_USER}"

# Add public key to authorized keys ###########################################
key_path="/home/${LC_UNPRIV_USER}/.ssh"

mkdir -p "${key_path}"
echo "${LC_SSH_PUB_KEY}" > "${key_path}/authorized_keys"
chmod 700 "${key_path}"
chmod 600 "${key_path}/authorized_keys"

我没有收到任何错误LC_UNPRIV_USER,所以我认为只是LC_SSH_PUB_KEY变量导致了问题?

如果我登录到该框并检查是否LC_SSH_PUB_KEY已设置,则它是(使用和不使用 sudo 进行测试)。我使用以下方式登录:

ssh -p 22 -F ssh_config dev

并检查LC_SSH_PUB_KEY回报...

alpine313:~$ sudo echo ${LC_SSH_PUB_KEY}
ssh-rsa AAAAB3NzbC1yc2EAAAADAQABAAACAQDbr/x2DTynUcDtbWfPVG5Mg1E1rDe8gB3gQUSsxSwqo6AMjucx6WoJgDY3exFDEFlUqDi2rOpZkT5lhBS0nXRDDJGgm595nZc2Vwq/QQmKMjJ893jTVi4/aQcG0FWOYxrkXka6SR9dl/R6rmWzGanzIEy55I+kwF0eXOMPPjT9sn5F1lN+cVzXcwrbYovBUKAwzAmpXlYSolxjyjcIadVWbxSP9Sh9IFwQIdDLC0wxqtkLC6x0LTWoKglLBOjS3MHKf7CTvXezVb8Ggh1Uotf5QWuqfYjZq5VEqaX6CBtkAi6qL/2sAI9YspSXWkna7WaWVOjvCyOfq3iU3KIpeYbZmlPvjwsr7LNsRW1byerL5yWwfh9YjT6PcP0rloyJo43W347I0kn8hfK9myU2pe3wBbbpEw/0gFduo1O+U15DLEvytzXDib1ICiKsLJnxvKD0YaKc/r8DZz0Qiw6e6xuxFRoRDJiWxrAx5SBdsQ7GbpNhJ7tLP7hQbLJvc6fcXm3iS0J0eqFODJFTTaXM4Zi6CiMb3GNzDLHw6xadP11AQV2mPoLLEM4MhcTmwUuz4pbilEaXYcfNBcmtBOH2zb49hr5d1q1fnDirc8cd6N7B0B+hjw7d2y6diuEGi2OHZfO0YPL726oAeuCDeJSQdBTLXlUSDuf9NqKpthnuD7eo5Q==

笔记:这是用于演示目的的虚拟密钥。

这是我的ssh_config客户端:

Host dev
    HostName dev.local
    User vagrant
    IdentityFile .vagrant/machines/default/virtualbox/private_key
    SetEnv LC_MODE=development LC_DOMAIN=dev.local LC_IFACE=eth1 LC_SSH_PORT=4096 LC_UNPRIV_USER=deploy LC_SSH_PUB_KEY="ssh-rsa AAAAB3..."

Host prod-root
    HostName production-machine.com
    User root
    IdentityFile keys/toor

Host prod
    HostName production-machine.com
    User deploy
    IdentityFile keys/deploy

Host *
    Port 4096
    Compression yes
    LogLevel INFO

以下是内容_enable-ssh-vars.sh

#!/usr/bin/env bash

set -o errexit
set -o pipefail
set -o nounset
# set -o xtrace

echo "AcceptEnv LC_*" >> /etc/ssh/sshd_config
rc-service sshd restart

知道哪里出了问题吗?

编辑在这种情况下,可以安全地附加到sshd_config。我有一个脚本,它在配置循环中复制自定义强化版本sshd_config。我首先调用脚本来允许LC_*变量,这样我就有可用于配置脚本的变量。

sshd_config附加后原文如下AcceptEnv...

#       $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/bin:/usr/bin:/sbin:/usr/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no

#AllowAgentForwarding yes
# Feel free to re-enable these if your use case requires them.
GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem       sftp    /usr/lib/ssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       PermitTTY no
#       ForceCommand cvs server
PasswordAuthentication yes
PermitRootLogin yes

UseDNS no

AllowTcpForwarding yes
AcceptEnv LANG LC_*

答案1

首先,最好将环境变量存储在主机的环境中,并通过SendEnv LC_*SSH 传递这些变量。

但这里的实际问题是LC_SSH_PUB_KEY变量的长度太长。我不确定变量的限制是SetEnv多少SendEnv

scp与将公钥内容存储在变量中相比,获取公钥并移动它也更容易。

相关内容