Start > Linux Tips & Trics > SSH / SCP Wrapper

SSH / SCP Wrapper

2 februari 2006

My company has a lot of servers on which I have to log in with ssh and copy files to with scp several times a day. I didn’t want to type in my password every time, so I decided to use the ssh built-in feature of authorized_keys. It is not very secure to use 1 key for all servers, so I wrote a small shell script that looks for the right key everytime I use ssh or scp. To be more secure, I put the keys on an encrypted filesystem on a usb stick.

#!/bin/bash

# shellscript around scp/ssh that looks for keys according to the hostname argument of scp/ssh
# your keys should be named _id_dsa (or modify this script)
# in the next howto you shold replace <$VARNAMES> with the value you assign to it
# to create ssh keys type:
#   ssh-keygen -t dsa -f $CRYPT_PATH/_id_dsa
# add contents of $CRYPT_PATH/_id_dsa.pub to ~/.ssh/authorized_keys
# if this file does not exists, simply copy $CRYPT_PATH/_id_dsa.pub to ~/.ssh/authorized_keys

# save this file to $SCP_WRAPPER anywhere in your $PATH
# and add a symbolic link to the same file:
# ln -s $SCP_WRAPPER $SSH_WRAPPER
# finally add these line to your ~/.bashrc file:
#  alias ssh="/PATH/TO/$SCP_WRAPPER"
#  alias scp="/PATH/TO/$SSH_WRAPPER"

################ CONFIGURATION ################
# path to your keys:
CRYPT_PATH="/media/crypt"
CRYPT_MAPPER_PATH="/dev/mapper/crypt"

#script / programs names:
SCP_WRAPPER="scp_wrapper.sh"
SSH_WRAPPER="ssh_wrapper.sh"
SSH="/usr/bin/ssh"
SCP="/usr/bin/scp -C"

# set to 1 if you have different domainnames for a single server
# that way you can have 1 keyfile for the server
USE_NS_LOOKUP="0"
################             END            ################

HOST=""
KEY=""

. /lib/lsb/init-functions

# function to get realhost from ssh/scp argument
getServerByHost ()
{
local host
if [ "$USE_NS_LOOKUP" == "0" ]; then
echo "skipping hostname lookup"
$HOST=$1
return 0
else
log_begin_msg "trying to get servername from $1"
host=$(nslookup $1 | grep Name|cut -d: -f2|head -n1|sed 's/^s*//')
if [ "$host" == "" ]; then
log_end_msg 9
$HOST=$1
return 9
else
HOST=$host
log_end_msg 0
echo "using host $host in stead of $1"
return 0
fi
fi
}

# function that checks if the kyfile exists
getKey ()
{
if [ "$(sudo cryptsetup status $CRYPT_MAPPER_PATH 2>/dev/null |grep active -c)" == "0" ]; then
log_begin_msg "/etc/init.d/cryptdisks not started: trying to start it now"
sudo /etc/init.d/cryptdisks start 2>/dev/null
if [ "$(sudo cryptsetup status /dev/mapper/crypt 2>/dev/null |grep active -c)"   == "0" ]; then
log_end_msg 9
return 9
else
log_end_msg 0
fi
fi

if [ "$(mount | grep "$CRYPT_PATH" -c)" == "0" ]; then
log_begin_msg "encrypted disk not mounted, mount now"
mount $CRYPT_PATH
log_end_msg $?
fi

KEY=$CRYPT_PATH"/"$1"_id_dsa"
if [ -f "$KEY" ]; then
echo "using key $KEY"
return 0
else
echo "key [$KEY] not found"
return 9
fi
}

# function that checks for correct argument count
paramcheck ()
{
if [ $3 -lt $3 ]; then
$1
exit;
fi
}

if [ "$(basename $0)" == "$SCP_WRAPPER" ]; then
paramcheck scp 2 $#
hostArgument=$(echo $*|sed 's/^.* (.+):.*/1/')
EXECUTABLE=$SCP
else
paramcheck ssh 1 $#
hostArgument=$1
EXECUTABLE=$SSH
fi

#shortcut if keyfile exists:
if [ -f "$CRYPT_PATH/$1""_id_dsa" ]; then
KEY="$CRYPT_PATH/$1""_id_dsa"
KEYARGUMENT="-i $KEY";
echo "found key $KEY, skipping everything else"
else
getServerByHost $hostArgument
retval=$?
fi

if [ "$KEYARGUMENT" == "" ]; then
if [ "$retval" -eq "0" ]; then
getKey $HOST
if [ "$?" -eq "0" ]; then KEYARGUMENT="-i $KEY"; fi
else
echo "fallback to normal operation of $(basename $EXECUTABLE)"
$EXECUTABLE $*
exit 9
fi
fi

$EXECUTABLE $KEYARGUMENT $*
exit $?
Categorieën:Linux Tips & Trics Tags:
Geen reacties mogelijk.