You have noticed when you connect to a new server, if its key is not in ~/.ssh/known_hosts ssh will ask you to verify the key:
raub@desktop:~$ ssh -i $SSHKEY_FILE cc@"$server_ip" The authenticity of host 'headless.example.com (10.0.1.160)' can't be established. ECDSA key fingerprint is SHA256:AgwYevnTsG2m9hQLu/ROp+Rjj5At2HU0HVoGZ+5Ug58. Are you sure you want to continue connecting (yes/no)?
That is a bit of a drag if you want to run a script to connect to said server. Fortunately ssh has an option just for that, StrictHostKeyChecking, as mentioned in the man page:
ssh automatically maintains and checks a database containing identification for all hosts it has ever been used with. Host keys are stored in ~/.ssh/known_hosts in the user's home directory. Additionally, the file /etc/ssh/ssh_known_hosts is automatically checked for known hosts. Any new hosts are automatically added to the user's file. If a host's identification ever changes, ssh warns about this and disables password authentication to prevent server spoofing or man-in-the-middle attacks, which could otherwise be used to circumvent the encryption. The StrictHostKeyChecking option can be used to control logins to machines whose host key is not known or has changed.
Now we can rewrite the ssh command as
ssh -o "StrictHostKeyChecking no" -i $SSHKEY_FILE cc@"$server_ip"
and it will login without waiting for us to verify the key. Of course this should only be done when the balance between security and automation meets your comfort level. However, if we run the above from a script, it will connect and just stay there with the session open, not accept any commands. i.e. if we try to send a command, pwd in this case,
ssh -o "StrictHostKeyChecking no" -i $SSHKEY_FILE cc@"$server_ip" pwd
it will never see the pwd. Only way to get to the pwd is to kill the ssh session, when it will then go to the next command but running it in the local host, not the remote one. If we want to run pwd in the host we ssh into, we need to pass it as an argument, i.e.
raub@desktop:/tmp$ pwd /tmpraub@desktop:/tmp$ ssh -o "StrictHostKeyChecking no" -i $SSHKEY_FILE cc@"$server_ip" pwd /home/raub raub@desktop:/tmp$
which means it will connect, run said command, and then exit. But, how to do that from a script? The answer is to use eval or bash -c (or other available shell):
raub@desktop:/tmp$ moo="ssh -o \"StrictHostKeyChecking no\" -i $SSHKEY_FILE cc@$server_ip" raub@desktop:/tmp$ dirlist=$(eval "$moo pwd") raub@desktop:/tmp$ echo $dirlist /home/raub raub@desktop:/tmp$ dirlist2=$(sh -c "$moo pwd") raub@desktop:/tmp$ echo $dirlist2 /home/raub raub@desktop:/tmp$
Now, there are subtle differences between eval and bash -c. There is a good thread in stackexchange which explains them better than I can do.
Now why someone would want to do that?
How about doing some poor-man ansible, i.e. when host on the other side does not have python or has some other idiosyncrasy. Like my home switch, but that is another story...
No comments:
Post a Comment