Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
SSH authorization tool -OUD
10-19-2015, 10:14 AM (This post was last modified: 03-06-2018 11:02 AM by xwcwt.)
Post: #1
SSH authorization tool -OUD
overview:
When you need to run program as some user on remote host through SSH, you may want to add the certain ssh pub_key to the user's authorized_keys on remote host. cod://bin/sshauth.sh help add the public key to a number of hosts. Usually the program is installed in /thinker/bin

bin:rc//sshauth adds the public key to a single user's authorized_keys file on a single host. ./sshauth prints the usage info.

Usage:
Code:
./auth.sh pcf_file

the pcf_file format as below:
Code:
user:the username in remote host want to be ssh login without password
keypub:the public ssh key name, it assume under .ssh/ dir
ipcount:the count of the host/ip
ipX:the hostname/ip for the X one
portX:the port info for the X one, optional, default is 22

An example:
Code:
user: testuser
keypub: id_rsa.pub
ipcount: 2
ip1: 10.16.99.90
port1: 22
ip2: 10.16.99.91

Design:
Code:
read $user, $keypub, $ipcount, $ipX/$portX(X is 1,2..) from shell arguments

for i in range(1,$ipcount+1) {
    ssh -p $port{$i} $user@$ip{$i} "[[ ! -d ~/.ssh ]] && mkdir -p ~/.ssh && chmod 700 ~/.ssh; echo `cat $keypub` >> ~/.ssh/authorized_keys; chmod 600 ~/.ssh/authorized_keys"
}
----
20151019/gl: Slightly improve wording.
20160227/cwt: add concurrent version info.
20180305/cwt: add design info.
20180306/cwt: update design/usage info to latest one.
Quote this message in a reply
10-19-2015, 06:12 PM
Post: #2
RE: SSH authorization tool
We'd better move this to be with other SSH related stuff.
Find all posts by this user
Quote this message in a reply
02-27-2016, 11:13 AM
Post: #3
RE: SSH authorization tool
a concurrent version to add ssh keys locates bin:rc//authorize dir. there's a README file to indicate how to use.
Quote this message in a reply
03-28-2016, 12:07 PM
Post: #4
RE: SSH authorization tool
auth.sh should also 'chmod 600 .ssh/authorized_keys'.
Find all posts by this user
Quote this message in a reply
03-05-2018, 03:32 PM
Post: #5
RE: SSH authorization tool
the pseudo code of design as follow:

Code:
read $user, $keypub, $ips from shell arguments

while one $host read from $ips {
  if not meet EOF {
    concurrent to ssh $user@$host "[[ ! -d ~/.ssh ]] && mkdir -p ~/.ssh && chmod 700 ~/.ssh; echo `cat $keypub` >> ~/.ssh/authorized_keys"
  }
}
Find all posts by this user
Quote this message in a reply
03-05-2018, 03:36 PM (This post was last modified: 03-05-2018 03:41 PM by xwcwt.)
Post: #6
RE: SSH authorization tool
(03-05-2018 03:32 PM)xwcwt Wrote:  the pseudo code of design as follow:

Code:
read $user, $keypub, $ips from shell arguments

while one $host read from $ips {
  if not meet EOF {
     ssh $user@$host "[[ ! -d ~/.ssh ]] && mkdir -p ~/.ssh && chmod 700 ~/.ssh; echo `cat $keypub` >> ~/.ssh/authorized_keys"
  }
}

Driving example: http://tab.d-thinker.org/showthread.php?...http://tab.d-thinker.org/showthread.php?tid=3701&pid=6634 , the tool need support non-22 ssh port.

I suggest we use a PCF format file to control such vars, the PCF content can be:

Quote:user:the usename
keypub:the public key location
ips:the ips file location
port:the sshd port in remote host defined in ips


Quote:read $user, $keypub, $ips from shell arguments

Change to
Code:
PCF_file=$1
read $user, $keypub, $ips from $PCF_file by LearnPCF.

RR zma.
Find all posts by this user
Quote this message in a reply
03-05-2018, 05:27 PM
Post: #7
RE: SSH authorization tool
(03-05-2018 03:36 PM)xwcwt Wrote:  
Quote:ips:the ips file location
port:the sshd port in remote host defined in ips

Using PCF sounds good to me.

ips may be in the PCF too in a string separated by ','.

There may be multiple IPs. But there is one port.

I suggest using the resource locator format for ips and ports like:

ip1:port1,ip2:port2,ip3,ip4

Default port can be '22'.
Quote this message in a reply
03-05-2018, 05:51 PM
Post: #8
RE: SSH authorization tool
(03-05-2018 05:27 PM)zma Wrote:  
(03-05-2018 03:36 PM)xwcwt Wrote:  
Quote:ips:the ips file location
port:the sshd port in remote host defined in ips

Using PCF sounds good to me.

ips may be in the PCF too in a string separated by ','.

There may be multiple IPs. But there is one port.

I suggest using the resource locator format for ips and ports like:

ip1:port1,ip2:port2,ip3,ip4

Default port can be '22'.

My miss, yes, there's should be each port definition for each ip.

I guess LearnPCF does not support to parse ip1:port1,ip2:port2,ip3,ip4, in my test $ip1 will just be 'port1,ip2:port2,ip3,ip4'. What I thought is need to separate by ',' first then parse the key:value, @zma, or do you have other suggestion to do this easy?

Or how about the PCF file format for ips can be:

ipcount:5
ip1:xxx
port1:xxx
ip2:yyy
port2:yyyy
...
Find all posts by this user
Quote this message in a reply
03-05-2018, 06:20 PM
Post: #9
RE: SSH authorization tool
(03-05-2018 05:51 PM)xwcwt Wrote:  I guess LearnPCF does not support to parse ip1:port1,ip2:port2,ip3,ip4, in my test $ip1 will just be 'port1,ip2:port2,ip3,ip4'. What I thought is need to separate by ',' first then parse the key:value, @zma, or do you have other suggestion to do this easy?

Or how about the PCF file format for ips can be:

ipcount:5
ip1:xxx
port1:xxx
ip2:yyy
port2:yyyy
...

What I thought was like this

hostports: ip1:port1,ip2:port2,ip3,ip4

You suggested way looks good to me too. You can choose any one that looks good to you.
Quote this message in a reply
03-06-2018, 10:56 AM
Post: #10
RE: SSH authorization tool
(03-05-2018 06:20 PM)zma Wrote:  
(03-05-2018 05:51 PM)xwcwt Wrote:  I guess LearnPCF does not support to parse ip1:port1,ip2:port2,ip3,ip4, in my test $ip1 will just be 'port1,ip2:port2,ip3,ip4'. What I thought is need to separate by ',' first then parse the key:value, @zma, or do you have other suggestion to do this easy?

Or how about the PCF file format for ips can be:

ipcount:5
ip1:xxx
port1:xxx
ip2:yyy
port2:yyyy
...

What I thought was like this

hostports: ip1:port1,ip2:port2,ip3,ip4

You suggested way looks good to me too. You can choose any one that looks good to you.

I use the way I comment in above. committed in 3a19ba682311571a0b485fa7e2ae745e6884775a . updating the head-post.
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: