我通过公钥身份验证登录到服务器,然后安装容器(使用例如 LUKS/dm-crypt 或 truecrypt)。目前,我必须手动输入容器密码。有没有办法使用 ssh 代理来保护该容器?或者,如果无法直接实现,我可以使用 ssh 公钥加密容器密码(或者可能更好,密钥文件)并使用 ssh 代理暂时解密吗?
答案1
我曾经使用远程 encfs 做过类似的事情,我在其中存储了本地 PC 的备份。也许这会有所帮助。当时我正在使用带有 gnome-keyring 的 Ubuntu。
dbus_session.sh
#!/bin/bash
# This will grab the appropriate environment variables to connect to the
# gnome-keyring via dbus for the currently logged in user
# shouldn't be necessary if you're running from an xterm in gnome
$(sed 's/^\([^#]\)/export \1/' ~/.dbus/session-bus/*-0 | grep -v ^#)
keyring_helper.py
#!/usr/bin/python
import sys
import keyring
if len(sys.argv) < 5:
print "Usage: keyring_helper.py get|set name server protocol [password]"
sys.exit(1)
k = keyring.Keyring(sys.argv[2], sys.argv[3], sys.argv[4])
if sys.argv[1] == "get":
c = k.get_credentials()
print c[1]
elif sys.argv[1] == "set":
k.set_credentials((sys.argv[2], sys.argv[5]));
备份文件
#!/bin/bash
. "$(dirname "$0")"/dbus_session.sh
cd /home/mike/misc/scripts
if ssh polaris mountpoint -q ~/mnt/; then
echo 1>&2 Filesystem already mounted.
exit 1
fi
# Take password from gnome-keyring and store in FIFO on polaris
./keyring_helper.py get mike polaris enc_backups 2>/dev/null |ssh polaris 'cat >~/passwd' &
# Mount the encrypted filesystem
ssh polaris 'nice -n 19 encfs -f -i 5 --extpass=cat ~/enc_backups/ ~/mnt/ <~/passwd' &
# Wait for the mount to complete
ssh polaris 'while ! mountpoint -q ~/mnt/; do if [ $((I++)) -gt 15 ]; then exit 1; fi; sleep 1; done'
if [ $? -ne 0 ]; then
echo 1>&2 Mount failed.
exit 2
fi
# Transfer data
rsync -az --delete --bwlimit 45 ~/misc /array/Dropbox/documents /array/pictures polaris:mnt/
# Unmount the encrypted filesystem
ssh polaris fusermount -u mnt
# Wait for child processes to exit
wait
mkfifo passwd初始设置非常简单,只需在远程服务器和keyring_helper.py set <name> <server> <protocol>桌面上执行即可。完成后,您的桌面应该将您的密码从密钥环写入 fifo,远程 truecrypt 进程将通过 stdin 读取它。