如果你的创建的密钥对设置了密码短语,使用ssh或者sftp命令时,提示手动输入密码短语。
这时候如果是自动化的脚本作业,应该如何写呢?
网上的方案有使用sshpass,但是如果服务器是AIX系统,很不幸,大概率是找不到这个命令的。
ssh.com官网的ssh-add有提及用到密码短语的密钥使用情况。
Keys with Passphrases
If the key being added has a passphrase,
ssh-add
will run thessh-askpass
program to obtain the passphrase from the user. If theSSH_ASKPASS
environment variable is set, the program given by that environment variable is used instead.Some people use the
SSH_ASKPASS
environment variable in scripts to provide a passphrase for a key. The passphrase might then be hard-coded into the script, or the script might fetch it from a password vault. However, use of passphrases in this manner does not eliminate the need for proper key lifecycle management and rotation. Instead, we recommend looking at the PrivX On-Demand Access Manager on how to completely eliminate SSH keys in such applications and replace them by short-lived certificates issued on-demand based on centrally managed access policies.
大意就是,可以用SSH_ASKPASS这个环境变量来实现自动输入密码短语。但是,官方不推荐因为这种取巧的方法并不能满足密钥的生命周期管理和轮替。顺便带出另一款产品——PrivX。
我不管,我就用取巧的方法。这里有一个帖子提到如何利用SSH_ASKPASS。
大概如下:
printf "#!/bin/bash\necho password\n" > /usr/bin/sshpass.sh
printf "ls -lrt \n quit \n" > /opt/operation.batch
export SSH_ASKPASS=/usr/bin/sshpass.sh
setsid sftp unixforum@localhost < operation.batch
可以看到,sshpass.sh不过是将密码硬编码输出。这里有一个关键点,setsid。