SSH login in script

Kevin Donnelly

11 Mar 2002 11 Mar '02

22:45

I want to have a script shift some files from one part of a webserver to another, and it therefore needs to use ssh. I usually login using: ssh -l <username> and then give the password. I assume it's not possible to do this in the script, so I tried using ssh-keygen to generate a public/private keypair. I then uploaded $HOME/.ssh/identity.pub to $HOME/.ssh/authorized_keys on the webserver. I was under the impression that this would allow login without asking for the password (from the manpage: "After this, the user can log in without giving the password."). But in fact I am still asked for the passphrase. Is this because the user I am locally is different from the user I am on the webserver? Have I missed something out? TIA Kevin

Show replies by date

Christopher Mahmood

11 Mar 11 Mar

21:48

New subject: [SLE] SSH login in script

* Kevin Donnelly (kevin@dotmon.com) [020311 13:38]:

...

I am on the webserver? Have I missed something out?

Make the passphrase null. -- -ckm

Kevin Donnelly

23:44

New subject: [SLE] SSH login in script

On Monday 11 March 2002 9:48 pm, Christopher Mahmood wrote:

...

...
I am on the webserver? Have I missed something out?

Make the passphrase null.

Brilliant! Thanks to you and Togan for coming back so fast! Kevin

Togan Muftuoglu

22:04

New subject: [SLE] SSH login in script

* Kevin Donnelly; on 11 Mar, 2002 wrote:

...

webserver. I was under the impression that this would allow login without asking for the password (from the manpage: "After this, the user can log in without giving the password."). But in fact I am still asked for the passphrase. Is this because the user I am locally is different from the user I am on the webserver? Have I missed something out?

have a look for ssh-agent and ssh-add in the respective man pages. It is better then (also secure) null passphrases -- Togan Muftuoglu

Steven Augart

22:04

New subject: [SLE] SSH login in script

Kevin Donnelly wrote:

...

I want to have a script shift some files from one part of a webserver to another, and it therefore needs to use ssh. I usually login using: ssh -l <username> and then give the password. I assume it's not possible to do this in the script, so I tried using ssh-keygen to generate a public/private keypair. I then uploaded $HOME/.ssh/identity.pub to $HOME/.ssh/authorized_keys on the webserver. I was under the impression that this would allow login without asking for the password (from the manpage: "After this, the user can log in without giving the password."). But in fact I am still asked for the passphrase. Is this because the user I am locally is different from the user I am on the webserver? Have I missed something out?

TIA

Kevin

I just attempted what I think you tried manually and it worked fine for me. Are you also unable to do this manually? I assume needless to say, you saved the new keypair as ~/.ssh/identity on the account you're testing from? (ssh -i ~/.ssh/<insecure-private-key-file> also works). Are you ever able to log in without typing the account's password to the target host? (i.e., has ssh-agent ever enabled you to log in there without retyping the password each time you log in?) Make sure that the permissions on the target's authorized_keys and identity file are 600 or 400,and that the permissions on the target's .ssh are 700. Those should take care of the most paranoid /etc/ssh/sshd_config. If you can read /etc/ssh/sshd_config on the target machine, it may be helpful. --Steve Augart

Kevin Donnelly

12 Mar 12 Mar

13:22

New subject: [SLE] SSH login in script

On Monday 11 March 2002 10:04 pm, Steven Augart wrote:

...

Kevin Donnelly wrote:

...
I want to have a script shift some files from one part of a webserver to another, and it therefore needs to use ssh. I usually login using: ssh -l <username> and then give the password. I assume it's not possible to do this in the script, so I tried using ssh-keygen to generate a public/private keypair. I then uploaded $HOME/.ssh/identity.pub to $HOME/.ssh/authorized_keys on the webserver. I was under the impression that this would allow login without asking for the password (from the manpage: "After this, the user can log in without giving the password."). But in fact I am still asked for the passphrase. Is this because the user I am locally is different from the user I am on the webserver? Have I missed something out?

TIA

Kevin

I just attempted what I think you tried manually and it worked fine for me. Are you also unable to do this manually?

No, I did this as above, manually, and got asked for the password.

...

I assume needless to say, you saved the new keypair as ~/.ssh/identity on the account you're testing from? (ssh -i ~/.ssh/<insecure-private-key-file> also works).

Yes.

...

Are you ever able to log in without typing the account's password to the target host? (i.e., has ssh-agent ever enabled you to log in there without retyping the password each time you log in?)

Yes, I am always asked, but this may be because ssh-agent is not available or not running or not set up on the webserver. I didn't know about ssh-agent before, so Togan and you have given me more to think about! I am reading the man pages at the moment, in between deep gulps of breath!

...

Make sure that the permissions on the target's authorized_keys and identity file are 600 or 400,and that the permissions on the target's .ssh are 700. Those should take care of the most paranoid /etc/ssh/sshd_config.

This is very useful - thanks. I will try this, and some ssh-agent experiments.

...

If you can read /etc/ssh/sshd_config on the target machine, it may be helpful.

The site is on a virtual host, and this file isn't available. In the meantime, I've got the problem that the ssh login keeps kindly presenting me with a shell prompt, so of course the rest of the script doesn't execute. What's the best way of getting the script to ignore it and go on to run a shell command directly? I've tried sending the login to /dev/null, using && for the next command, putting login and command in brackets, separated by semi-colon, and a few other things in David Tansley's Linux and Unix Shell Programming book, but no luck. Thanks Kevin

Togan Muftuoglu

12:52

New subject: [SLE] SSH login in script

* Kevin Donnelly; on 12 Mar, 2002 wrote:

...

On Monday 11 March 2002 10:04 pm, Steven Augart wrote: Yes, I am always asked, but this may be because ssh-agent is not available or not running or not set up on the webserver. I didn't know about ssh-agent before, so Togan and you have given me more to think about! I am reading the man pages at the moment, in between deep gulps of breath!

if you are using X windows (ie KDE) put this in your ~/.xsession eval `ssh-agent` ssh-add The next time you start your X session ssh-agent and ssh-add will load your key to RAM and you are all set to go -- Togan Muftuoglu

zonderH

14:44

New subject: [SLE] SSH login in script

...

On Monday 11 March 2002 10:04 pm, Steven Augart wrote:

...
Kevin Donnelly wrote:

...
I want to have a script shift some files from one part of a webserver to another, and it therefore needs to use ssh. I usually login using: ssh -l <username> and then give the password. I assume it's not possible to do this in

...

...
...
script, so I tried using ssh-keygen to generate a public/private keypair. I then uploaded $HOME/.ssh/identity.pub to $HOME/.ssh/authorized_keys on the webserver. I was under the impression that this would allow login without asking for the password (from the manpage: "After this, the user can log in without giving the password."). But in fact I am still asked for the passphrase. Is this because the user I am locally is different from the user I am on the webserver? Have I missed something out?

TIA

Kevin

I just attempted what I think you tried manually and it worked fine for me. Are you also unable to do this manually?

No, I did this as above, manually, and got asked for the password.

...
I assume needless to say, you saved the new keypair as ~/.ssh/identity on the account you're testing from? (ssh -i ~/.ssh/<insecure-private-key-file> also works).

Yes.

...
Are you ever able to log in without typing the account's password to the target host? (i.e., has ssh-agent ever enabled you to log in there without retyping the password each time you log in?)

Yes, I am always asked, but this may be because ssh-agent is not available or not running or not set up on the webserver. I didn't know about ssh-agent before, so Togan and you have given me more to think about! I am reading

You might take a look at: http://www-106.ibm.com/developerworks/library/l-keyc.html about openSSH key management. This is part 1 of 3. Interesting stuff. Greetz, Gert Caers aka zonderH ----- Original Message ----- From: "Kevin Donnelly" To: "Steven Augart" Cc: Sent: Tuesday, March 12, 2002 2:22 PM Subject: Re: [SLE] SSH login in script the the

...

man pages at the moment, in between deep gulps of breath!

...
Make sure that the permissions on the target's authorized_keys and identity file are 600 or 400,and that the permissions on the target's .ssh are 700. Those should take care of the most paranoid /etc/ssh/sshd_config.

This is very useful - thanks. I will try this, and some ssh-agent experiments.

...
If you can read /etc/ssh/sshd_config on the target machine, it may be helpful.

The site is on a virtual host, and this file isn't available.

In the meantime, I've got the problem that the ssh login keeps kindly presenting me with a shell prompt, so of course the rest of the script doesn't execute. What's the best way of getting the script to ignore it and go on to run a shell command directly?

I've tried sending the login to /dev/null, using && for the next command, putting login and command in brackets, separated by semi-colon, and a few other things in David Tansley's Linux and Unix Shell Programming book, but no luck.

Thanks

Kevin

-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com

Steven Augart

13 Mar 13 Mar

22:21

New subject: [SLE] SSH login in script

Whoever it was who suggested that you make sure to create a passwordless ~/.ssh/identity was smart to think of that. (I had neglected to mention that part of it :)). But if this script is only going to be launched when you're logged in already (i.e., if you'll be launching it manually) then it will inherit your ssh-agent environment variables, and will have appropriate access. Here's the sequence, cut directly out of /etc/profile.local on the computer I'm using: ## if interactive, set up for SSH if [[ $- == *i* ]] && [ ! "$SSH_AUTH_SOCK" ] && [ -d $HOME/.ssh ] \ && type ssh-agent > /dev/null 2>&1; then # The 'trap' command sets us up to automatically clean up the # freshly-started agent when we exit eval $(ssh-agent) && trap 'eval $(ssh-agent -k)' EXIT echo "Type \`\`ssh-add'' in order to set up your SSH client." fi As for Kevin Donnelly wrote:

...

Yes, I am always asked, but this may be because ssh-agent is not available or not running or not set up on the webserver.

I should explain that the web server knows nothing about ssh-agent. Your local ssh client uses the private key as part of comminication with the remote server, and the remote server doesn't know whether you just typed in the passphrase for that private key, or whether ssh-agent conveniently kept the private key cached for you, or what. It just reads the bits that your ssh client sends it.

...

I am reading the man pages at the moment, in between deep gulps of breath!

I find it appalling reading. I only dug into the server config file page after my ssh logins broke after an upgrade. O'Reilly and associates has an entire book just on setting up and using SSH. Looks like a couple of hundred pages; I haven't read it, since I had already gotten my configuration (finally) working without it.

...

In the meantime, I've got the problem that the ssh login keeps kindly presenting me with a shell prompt, so of course the rest of the script doesn't execute. What's the best way of getting the script to ignore it and go on to run a shell command directly?

The shell prompt will confuse almost any program that expects to read something back from the remote shell. Earlier versions (at least until 7.1, maybe 7.2) of SuSE linux came with an /etc/profile that automatically set the prompt (PS1) even if you weren't logged in interactively. This is a Bad Thing. Here's the hack to fix it, again out of my /etc/profile.local. You should put this into your .bashrc on the remote host: ## Non-interactive shells should not have PS1 and PS2 set indiscriminately! if [[ $- != *i* ]]; then unset PS1 PS2 fi

...

I've tried sending the login to /dev/null, using && for the next command, putting login and command in brackets, separated by semi-colon, and a few other things in David Tansley's Linux and Unix Shell Programming book, but no luck.

You could also use the very useful program ``expect'' to automate the login process. The main disadvantage of doing this in an expect script is that you'll then end up including a cleartext password in the body of the script. Also note that ssh takes a -i option that allows you to use an alternate identity file. So you could have an identity that you use just for the automated script. Good luck! Write back! --Steve Augart

Linux - User

12 Mar 12 Mar

14:34

New subject: Chroot for a user login ?

Hi guys... is there any way to make a jail for a user login ? I mean.. I want to do a "chroot" like to some group of users to allow them to see only some directories... not all... and not allow him to get lower that his home directory... Thanks in advance. bye --ed

Togan Muftuoglu

15:07

New subject: [SLE] Chroot for a user login ?

* Linux - User; on 12 Mar, 2002 wrote:

...

Hi guys... is there any way to make a jail for a user login ?

I mean.. I want to do a "chroot" like to some group of users to allow them to see only some directories... not all... and not allow him to get lower that his home directory...

Maybe rbash (restricted bash) can solve your needs -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx

PR

15 Mar 15 Mar

10:28

New subject: [SLE] Chroot for a user login ?

can you expand on that... piet Togan Muftuoglu wrote:

...

* Linux - User; on 12 Mar, 2002 wrote:

...
Hi guys... is there any way to make a jail for a user login ?

I mean.. I want to do a "chroot" like to some group of users to allow them to see only some directories... not all... and not allow him to get lower that his home directory...

Maybe rbash (restricted bash) can solve your needs

Togan Muftuoglu

10:41

New subject: [SLE] Chroot for a user login ?

* PR; on 15 Mar, 2002 wrote:

...

can you expand on that...

change the user shell from /bin/whateever to /bin/rbash and have a look at man rbash -- Togan Muftuoglu

Ray Booysen

12 Mar 12 Mar

10:38

New subject: [SLE] SSH login in script

this depends whether you are using ssh or ssh ver 2. if you are using ver 2 then the file with the key is called $HOME/.ssh/authorized_keys2 Cheers Ray Booysen ----- Original Message ----- From: "Kevin Donnelly" To: Sent: Tuesday, March 12, 2002 12:45 AM Subject: [SLE] SSH login in script

...

I want to have a script shift some files from one part of a webserver to another, and it therefore needs to use ssh. I usually login using: ssh -l <username> and then give the password. I assume it's not possible to do this in the script, so I tried using ssh-keygen to generate a public/private keypair. I then uploaded $HOME/.ssh/identity.pub to $HOME/.ssh/authorized_keys on the webserver. I was under the impression that this would allow login without asking for the password (from the manpage: "After this, the user can log in without giving the password."). But in fact I am still asked for the passphrase. Is this because the user I am locally is different from the user I am on the webserver? Have I missed something out?

TIA

Kevin

-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com

8142

Age (days ago)

8146

Last active (days ago)

List overview

Download

13 comments

8 participants

participants (8)

Christopher Mahmood
Kevin Donnelly
Linux - User
PR
Ray Booysen
Steven Augart
Togan Muftuoglu
zonderH