具有密码保护的 SSH 密钥的并行 ssh

Question

在使用parallel-ssh（和相关工具）执行任务时，我想使用受密码保护的 SSH 密钥。但是，我无法让它发挥作用。

所有关于 的文档都parallel-ssh表明我应该能够使用--askpass或-A做到这一点：

-A
--askpass
      Prompt  for  a  password  and pass it to ssh.  The password may be 
      used for either to unlock a key or for password authentication.  The 
      password is transferred in a fairly secure manner (e.g., it will not 
      show up in argument lists).  However, be aware that a root user on 
      your system could potentially intercept the password.

但是，当我输入密钥的密码时，它不起作用：

$ parallel-ssh --hosts=machines --user=my_user --askpass \
    --timeout=0 --inline -v 'sudo apt-get update'
Warning: do not enter your password if anyone else has superuser
privileges or access to your account.
Password: 
[1] 09:59:36 [FAILURE] amritiii Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[2] 09:59:37 [FAILURE] gbdev Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[3] 09:59:37 [FAILURE] code Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[4] 09:59:37 [FAILURE] apollo Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[5] 09:59:37 [FAILURE] odin Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[6] 09:59:37 [FAILURE] hathor Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[7] 09:59:37 [FAILURE] ldap Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[8] 09:59:37 [FAILURE] thor Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).
[9] 09:59:37 [FAILURE] bioserver Exited with error code 255
Stderr: Enter passphrase for key '/home/nhaigh/.ssh/id_rsa': 
Permission denied (publickey,password).

我已经确认我的 SSH 密钥和密码在每台机器上都有效，所以我不知道如何让它工作。

Answer 1

假设parallel-ssh和pssh是等效的，那么是的，您尝试执行的操作应该可以在使用-A开关时通过管道传递密码来正常工作。

例子

这是我连接到 2 个不同系统的示例，host1并且host2. 我使用-l开关来pssh提供root. 但是，host2我-H通过将主机名指定为user1@host2.

$ pssh -A -i -H "host1 user1@host2" -l root 'echo "hi"'
Warning: do not enter your password if anyone else has superuser
privileges or access to your account.
Password: 
[1] 21:38:00 [SUCCESS] user1@host2
hi
Stderr: 
This is a private site.  Unauthorized connections are prohibited.  
All activity may be logged.  Disconnect immediately if you object to 
this policy or are not an authorized user.

X11 forwarding request failed on channel 1
Killed by signal 1.
[2] 21:38:00 [SUCCESS] host1
hi
Stderr: 
This is a private site.  Unauthorized connections are prohibited.  
All activity may be logged.  Disconnect immediately if you object to 
this policy or are not an authorized user.

ControlSocket /home/user1/.ssh/master-user1@ssh-tunnel.mydomain.com:22 already exists, disabling multiplexing
X11 forwarding request failed on channel 0
Killed by signal 1.

当上述工作时，您会注意到我正在运行的命令的输出，echo "hi".

你的问题

您在 SSH 密钥对上遇到密码短语的问题是由于错误造成的。这是标题为：问题 80：未通过密码短语的错误？. 该问题的第 4 条评论显示了一个补丁：

摘抄

#4 罗宾...@gmail.com

我改变了行

  if not ( prompt.strip().lower().endswith('password:') or 
        'enter passphrase for key' in prompt.strip().lower()):

它似乎有效

参考

• PSSH：并行 SSH 在多个主机上执行命令

Answer 2

我设法通过安装keychain而不是手动修补导致我的问题的错误来使其工作。

安装和手动运行钥匙串

# install keychain package
$ sudo apt-get install keychain

# add my key to the keychain, entering passphrase when asked
$ keychain ~/.ssh/id_rsa

# source the file generated by the above command
$ . ~/.keychain/$(uname -n)-sh

在没有密码/密码短语输入的情况下运行命令

现在，这一次我在调用时不需要我的密码，parallel-ssh因为钥匙串负责身份验证：

$ parallel-ssh --hosts=machines --user=my_user --timeout=0 'sudo apt-get update'
[1] 14:52:15 [SUCCESS] amritiii 
[2] 14:52:17 [SUCCESS] odin
[3] 14:52:25 [SUCCESS] gmod
[4] 14:53:11 [SUCCESS] bioserver
[5] 14:53:14 [SUCCESS] thor
[6] 14:53:14 [SUCCESS] apollo
[7] 14:53:16 [SUCCESS] gbdev
[8] 14:53:17 [SUCCESS] code
[9] 14:53:18 [SUCCESS] hathor
[10] 14:53:34 [SUCCESS] ldap

登录时运行钥匙串

无需手动运行并将您的密钥添加到钥匙串中，只需将以下内容添加到您的末尾~/.bash_profile：

$ keychain --clear $HOME/.ssh/id_rsa
$ . $HOME/.keychain/$(uname -n)-sh

这可确保在您首次登录时，重新启动后，系统会提示您输入密钥的密码。您的钥匙将保留在钥匙串中，直到下次重新启动或您手动清除钥匙串。

使用钥匙串的 Cron 作业

将上述内容输入到您的~/.bash_profile文件中后，您可以利用您的密钥现在存储在钥匙串中的事实，在运行 cronjob 之前对同一文件进行处理。例如，我有一个备份脚本，它在每晚 21:00 运行，并通过 SSH 将内容复制到远程计算机。这是我的 crontab ( crontab -e) 中的一个条目：

 0 21 * * * . $HOME/.keychain/$(uname -n)-sh; $HOME/backup_script.sh