我想在使用parallel-ssh
(和相关工具)执行任务时使用受密码保护的 SSH 密钥。但是,我无法让它工作。
所有有关的文档都parallel-ssh
表明我应该能够使用--askpass
或-A
执行此操作:
-A
--askpass
Prompt for a password and pass it to ssh. The password may be
used for either to unlock a key or for password authentication. The
password is transferred in a fairly secure manner (e.g., it will not
show up in argument lists). However, be aware that a root user on
your system could potentially intercept the password.
但是,当我输入密钥的密码时,它不起作用:
$ parallel-ssh --hosts=machines --user=my_user --askpass \
--timeout=0 --inline -v 'sudo apt-get update'
Warning: do not enter your password if anyone else has superuser
privileges or access to your account.
Password:
[1] 09:59:36 [FAILURE] amritiii Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa':
Permission denied (publickey,password).
[2] 09:59:37 [FAILURE] gbdev Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa':
Permission denied (publickey,password).
[3] 09:59:37 [FAILURE] code Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa':
Permission denied (publickey,password).
[4] 09:59:37 [FAILURE] apollo Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa':
Permission denied (publickey,password).
[5] 09:59:37 [FAILURE] odin Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa':
Permission denied (publickey,password).
[6] 09:59:37 [FAILURE] hathor Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa':
Permission denied (publickey,password).
[7] 09:59:37 [FAILURE] ldap Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa':
Permission denied (publickey,password).
[8] 09:59:37 [FAILURE] thor Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa':
Permission denied (publickey,password).
[9] 09:59:37 [FAILURE] bioserver Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa':
Permission denied (publickey,password).
我已经确认我的 SSH 密钥和密码在每台机器上都有效,所以我不知道如何让它工作。
答案1
假设 和parallel-ssh
是pssh
等效的,那么是的,您尝试做的事情应该可以很好地在使用开关时通过管道传输密码-A
。
例子
这是我连接到 2 个不同系统的示例,host1
并且host2
.我使用-l
开关来pssh
提供 的默认用户root
。但是,我通过将主机名指定为 来host2
在交换机中覆盖此设置。-H
user1@host2
$ pssh -A -i -H "host1 user1@host2" -l root 'echo "hi"'
Warning: do not enter your password if anyone else has superuser
privileges or access to your account.
Password:
[1] 21:38:00 [SUCCESS] user1@host2
hi
Stderr:
This is a private site. Unauthorized connections are prohibited.
All activity may be logged. Disconnect immediately if you object to
this policy or are not an authorized user.
X11 forwarding request failed on channel 1
Killed by signal 1.
[2] 21:38:00 [SUCCESS] host1
hi
Stderr:
This is a private site. Unauthorized connections are prohibited.
All activity may be logged. Disconnect immediately if you object to
this policy or are not an authorized user.
ControlSocket /home/user1/.ssh/[email protected]:22 already exists, disabling multiplexing
X11 forwarding request failed on channel 0
Killed by signal 1.
当上述工作正常时,您会注意到我正在运行的命令的输出echo "hi"
。
你的问题
您在 SSH 密钥对上遇到的密码问题是由于错误造成的。这个错误的标题是:问题 80:未传递密码?。该问题的第四条评论显示了一个补丁:
摘抄
#4[电子邮件受保护]
我将线路更改为
if not ( prompt.strip().lower().endswith('password:') or 'enter passphrase for key' in prompt.strip().lower()):
这似乎有效
参考
答案2
keychain
我设法通过安装而不是手动修补来使其工作漏洞引起我的问题。
安装并手动运行钥匙串
# install keychain package
$ sudo apt-get install keychain
# add my key to the keychain, entering passphrase when asked
$ keychain ~/.ssh/id_rsa
# source the file generated by the above command
$ . ~/.keychain/$(uname -n)-sh
无需输入密码/密码短语即可运行命令
现在,这次我在调用时不需要密码,parallel-ssh
因为钥匙串负责身份验证:
$ parallel-ssh --hosts=machines --user=my_user --timeout=0 'sudo apt-get update'
[1] 14:52:15 [SUCCESS] amritiii
[2] 14:52:17 [SUCCESS] odin
[3] 14:52:25 [SUCCESS] gmod
[4] 14:53:11 [SUCCESS] bioserver
[5] 14:53:14 [SUCCESS] thor
[6] 14:53:14 [SUCCESS] apollo
[7] 14:53:16 [SUCCESS] gbdev
[8] 14:53:17 [SUCCESS] code
[9] 14:53:18 [SUCCESS] hathor
[10] 14:53:34 [SUCCESS] ldap
登录时运行钥匙串
无需手动运行并将密钥添加到钥匙串,只需将以下内容添加到您的末尾~/.bash_profile
:
$ keychain --clear $HOME/.ssh/id_rsa
$ . $HOME/.keychain/$(uname -n)-sh
这可确保在重新启动后首次登录时,系统会提示您输入密钥的密码。然后,您的密钥将保留在钥匙串中,直到下次重新启动或您手动清除钥匙串为止。
使用钥匙串的 Cron 作业
将上述内容输入到您的~/.bash_profile
文件中后,您可以通过在运行 cronjob 之前对同一文件进行排序来利用您的密钥现在存储在钥匙串中的事实。例如,我有一个备份脚本,每天晚上 21:00 运行并通过 SSH 将内容复制到远程计算机。这是我的 crontab () 中的一个条目crontab -e
:
0 21 * * * . $HOME/.keychain/$(uname -n)-sh; $HOME/backup_script.sh
答案3
使用ssh代理自动进行身份验证(使用 shell 名称作为参数,在新 shell 中设置代理环境变量)。添加密钥ssh-添加并仅输入一次密码。
$ ssh-agent bash
$ ssh-add
Enter passphrase for /xxxx/.ssh/identity:
$
$ pssh ...