SSH / SCP Wrapper
2 februari 2006
My company has a lot of servers on which I have to log in with ssh and copy files to with scp several times a day. I didn’t want to type in my password every time, so I decided to use the ssh built-in feature of authorized_keys. It is not very secure to use 1 key for all servers, so I wrote a small shell script that looks for the right key everytime I use ssh or scp. To be more secure, I put the keys on an encrypted filesystem on a usb stick.
#!/bin/bash # shellscript around scp/ssh that looks for keys according to the hostname argument of scp/ssh # your keys should be named _id_dsa (or modify this script) # in the next howto you shold replace <$VARNAMES> with the value you assign to it # to create ssh keys type: # ssh-keygen -t dsa -f $CRYPT_PATH/_id_dsa # add contents of $CRYPT_PATH/_id_dsa.pub to ~/.ssh/authorized_keys # if this file does not exists, simply copy $CRYPT_PATH/_id_dsa.pub to ~/.ssh/authorized_keys # save this file to $SCP_WRAPPER anywhere in your $PATH # and add a symbolic link to the same file: # ln -s $SCP_WRAPPER $SSH_WRAPPER # finally add these line to your ~/.bashrc file: # alias ssh="/PATH/TO/$SCP_WRAPPER" # alias scp="/PATH/TO/$SSH_WRAPPER" ################ CONFIGURATION ################ # path to your keys: CRYPT_PATH="/media/crypt" CRYPT_MAPPER_PATH="/dev/mapper/crypt" #script / programs names: SCP_WRAPPER="scp_wrapper.sh" SSH_WRAPPER="ssh_wrapper.sh" SSH="/usr/bin/ssh" SCP="/usr/bin/scp -C" # set to 1 if you have different domainnames for a single server # that way you can have 1 keyfile for the server USE_NS_LOOKUP="0" ################ END ################ HOST="" KEY="" . /lib/lsb/init-functions # function to get realhost from ssh/scp argument getServerByHost () { local host if [ "$USE_NS_LOOKUP" == "0" ]; then echo "skipping hostname lookup" $HOST=$1 return 0 else log_begin_msg "trying to get servername from $1" host=$(nslookup $1 | grep Name|cut -d: -f2|head -n1|sed 's/^s*//') if [ "$host" == "" ]; then log_end_msg 9 $HOST=$1 return 9 else HOST=$host log_end_msg 0 echo "using host $host in stead of $1" return 0 fi fi } # function that checks if the kyfile exists getKey () { if [ "$(sudo cryptsetup status $CRYPT_MAPPER_PATH 2>/dev/null |grep active -c)" == "0" ]; then log_begin_msg "/etc/init.d/cryptdisks not started: trying to start it now" sudo /etc/init.d/cryptdisks start 2>/dev/null if [ "$(sudo cryptsetup status /dev/mapper/crypt 2>/dev/null |grep active -c)" == "0" ]; then log_end_msg 9 return 9 else log_end_msg 0 fi fi if [ "$(mount | grep "$CRYPT_PATH" -c)" == "0" ]; then log_begin_msg "encrypted disk not mounted, mount now" mount $CRYPT_PATH log_end_msg $? fi KEY=$CRYPT_PATH"/"$1"_id_dsa" if [ -f "$KEY" ]; then echo "using key $KEY" return 0 else echo "key [$KEY] not found" return 9 fi } # function that checks for correct argument count paramcheck () { if [ $3 -lt $3 ]; then $1 exit; fi } if [ "$(basename $0)" == "$SCP_WRAPPER" ]; then paramcheck scp 2 $# hostArgument=$(echo $*|sed 's/^.* (.+):.*/1/') EXECUTABLE=$SCP else paramcheck ssh 1 $# hostArgument=$1 EXECUTABLE=$SSH fi #shortcut if keyfile exists: if [ -f "$CRYPT_PATH/$1""_id_dsa" ]; then KEY="$CRYPT_PATH/$1""_id_dsa" KEYARGUMENT="-i $KEY"; echo "found key $KEY, skipping everything else" else getServerByHost $hostArgument retval=$? fi if [ "$KEYARGUMENT" == "" ]; then if [ "$retval" -eq "0" ]; then getKey $HOST if [ "$?" -eq "0" ]; then KEYARGUMENT="-i $KEY"; fi else echo "fallback to normal operation of $(basename $EXECUTABLE)" $EXECUTABLE $* exit 9 fi fi $EXECUTABLE $KEYARGUMENT $* exit $?
Categorieën:Linux Tips & Trics