具有密码保护的SSH密钥的parallel-ssh

8

parallel-ssh(和相关工具)执行任务时,我想使用受密码保护的SSH密钥。但是,我无法使它正常工作。

关于的所有文档parallel-ssh表明,我应该可以使用--askpass-A执行此操作:

-A
--askpass
      Prompt  for  a  password  and pass it to ssh.  The password may be 
      used for either to unlock a key or for password authentication.  The 
      password is transferred in a fairly secure manner (e.g., it will not 
      show up in argument lists).  However, be aware that a root user on 
      your system could potentially intercept the password.

但是,当我输入密钥的密码短语时,它不起作用:

$ parallel-ssh --hosts=machines --user=my_user --askpass \
    --timeout=0 --inline -v 'sudo apt-get update'
Warning: do not enter your password if anyone else has superuser
privileges or access to your account.
Password: 
[1] 09:59:36 [FAILURE] amritiii Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[2] 09:59:37 [FAILURE] gbdev Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[3] 09:59:37 [FAILURE] code Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[4] 09:59:37 [FAILURE] apollo Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[5] 09:59:37 [FAILURE] odin Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[6] 09:59:37 [FAILURE] hathor Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[7] 09:59:37 [FAILURE] ldap Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[8] 09:59:37 [FAILURE] thor Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[9] 09:59:37 [FAILURE] bioserver Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).

我已经确认我的SSH密钥和密码短语可以在每台计算机上使用,因此我不知道如何使它运行。

ssh  key-authentication  parallel-ssh 
内森·沃森(Nathan S.Watson-Haigh)
source
我假设parallel-ssh与pssh相同?
slm
是的,parallel-ssh而且pssh确实是一样的。
内森·沃森

Answers:

5

假设parallel-sshpssh等效,那么是的,您尝试做的事情应该可以很好地配合使用-A开关中的密码短语。

这里就是我连接到2个不同的系统的例子,host1host2。我使用-l开关来pssh提供的默认用户root。但是,host2-H通过将主机名指定为来在交换机中覆盖它user1@host2

$ pssh -A -i -H "host1 user1@host2" -l root 'echo "hi"'
Warning: do not enter your password if anyone else has superuser
privileges or access to your account.
Password: 
[1] 21:38:00 [SUCCESS] user1@host2
hi
Stderr: 
This is a private site.  Unauthorized connections are prohibited.  
All activity may be logged.  Disconnect immediately if you object to 
this policy or are not an authorized user.

X11 forwarding request failed on channel 1
Killed by signal 1.
[2] 21:38:00 [SUCCESS] host1
hi
Stderr: 
This is a private site.  Unauthorized connections are prohibited.  
All activity may be logged.  Disconnect immediately if you object to 
this policy or are not an authorized user.

ControlSocket /home/user1/.ssh/master-user1@ssh-tunnel.mydomain.com:22 already exists, disabling multiplexing
X11 forwarding request failed on channel 0
Killed by signal 1.

当上述方法起作用时,您会注意到我正在运行的命令的输出echo "hi"

你的问题

您在SSH密钥对上使用密码短语时遇到的问题是由于错误所致。这是标题为“ 问题80 ”的错误:没有通过密码?。关于该问题的第四条评论显示了一个补丁:

摘抄

#4 robine ... @ gmail.com

我把线改成

  if not ( prompt.strip().lower().endswith('password:') or 
        'enter passphrase for key' in prompt.strip().lower()):

它似乎有效

参考文献

slm
source
感谢您的输入SLM。parallel-ssh并且pssh确实是一样的。我没有问是否有可能-文档清楚表明了有可能。如文档所述,我无法使其真正起作用。
内森·沃森
1
@ NathanS.Watson-Haigh-参见更新。这是一个错误,我已经引用了补丁。
slm
这确实是影响我的问题。但是,由于的作者parallel-ssh仍不确定如何最好地检测密码提示问题,从而以输入的密码/短语进行响应,因此,我将坚持使用钥匙串方法。我不希望我的密码短语被无意间显示给错误的问题提示。
内森·沃森
1
我会接受这个作为答案,因为您设法弄清楚这是parallel-ssh将密码短语传递到的方式中的已知错误SSH。但是,对于以后遇到此问题的用户,此错误可能已得到修复,或者您可以选择不编辑askpass_client.py文件。在这两种情况下,你可以解决这个使用keychain答案(unix.stackexchange.com/a/128998/57414)或SSH代理答案(unix.stackexchange.com/a/129022/57414
弥敦道S.沃森Haigh 2014年
5

我设法通过安装keychain而不是手动修补导致我的问题的错误来使其正常工作。

安装并手动运行钥匙串

# install keychain package
$ sudo apt-get install keychain

# add my key to the keychain, entering passphrase when asked
$ keychain ~/.ssh/id_rsa

# source the file generated by the above command
$ . ~/.keychain/$(uname -n)-sh

没有密码/密码输入的运行命令

现在,这一次我在调用时不需要密码,parallel-ssh因为钥匙串负责身份验证:

$ parallel-ssh --hosts=machines --user=my_user --timeout=0 'sudo apt-get update'
[1] 14:52:15 [SUCCESS] amritiii 
[2] 14:52:17 [SUCCESS] odin
[3] 14:52:25 [SUCCESS] gmod
[4] 14:53:11 [SUCCESS] bioserver
[5] 14:53:14 [SUCCESS] thor
[6] 14:53:14 [SUCCESS] apollo
[7] 14:53:16 [SUCCESS] gbdev
[8] 14:53:17 [SUCCESS] code
[9] 14:53:18 [SUCCESS] hathor
[10] 14:53:34 [SUCCESS] ldap

登录时运行钥匙串

无需手动运行并将密钥添加到钥匙串中,只需将以下内容添加到您的末尾~/.bash_profile

$ keychain --clear $HOME/.ssh/id_rsa
$ . $HOME/.keychain/$(uname -n)-sh

这样可以确保在重新登录后首次登录时,系统会提示您输入密钥的密码。然后,您的钥匙将一直留在钥匙串中,直到下次重新启动为止,或者您手动清除了钥匙串。

使用钥匙串的Cron Jobs

将以上内容输入~/.bash_profile文件后,您可以在运行cronjob之前对同一文件进行处理,以充分利用您的密钥已存储在钥匙串中这一事实。例如,我有一个备份脚本,该脚本每天晚上21:00运行,并通过SSH将内容复制到远程计算机。这是我的crontab(crontab -e)中的一项:

 0 21 * * * . $HOME/.keychain/$(uname -n)-sh; $HOME/backup_script.sh
内森·沃森(Nathan S.Watson-Haigh)
source
1

使用ssh-agent自动进行身份验证(使用外壳程序名称作为参数,以在该新外壳程序中设置代理程序环境变量)。使用ssh-add添加密钥,并仅输入一次密码。

$ ssh-agent bash
$ ssh-add
Enter passphrase for /xxxx/.ssh/identity: 
$ 
$ pssh ...
伊曼纽尔
source
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.