SSH Again
再一次写了SSH
Jan 19, 2016
2016年1月19日
I’ve written a few articles now regarding my SSH setup and my .bashrc and .bash_profile files. I think I finally arrived at a configuration that’s good, and I’d like to share my findings.
我现在已经写了一些关于SSH设置和.bashrc和.bash_配置文件的文章。我想我最终得到了一个好的配置,我想和大家分享我的发现。
This is the complete content of my ~/.bash_profile:
这是我的~/.bash_profile的完整内容:
# if a directory exists, add it to $PATH
#如果存在目录,将其添加到$PATH
__add_path_head() {
if [ -d "$1" ]; then
if [ -n "${PATH}" ]; then
PATH="$1:${PATH}"
else
PATH="$1"
fi
fi
}
export PATH
__add_path_head "${HOME}/local/bin"
__add_path_head "${HOME}/local/sbin"
__add_path_head "${HOME}/opt/arcanist/bin"
export GOPATH="${HOME}/gocode"
if [ ! -d "${GOPATH}/bin" ]; then
mkdir -p "${GOPATH}/bin"
fi
__add_path_head "${GOPATH}/bin"
# Try to find an already running ssh-agent process
#尝试查找已在运行的ssh代理进程
foundagent=0
for agentsock in $(find /tmp/ssh-* -name 'agent.*' -type s 2>/dev/null); do
export SSH_AUTH_SOCK="${agentsock}"
ssh-add -l &>/dev/null
# 0 means the agent had keys, 1 means the agent is properly configured but
# has no keys, 2 would mean that the SSH_AUTH_SOCK is inavlid
#0表示代理具有密钥,1表示代理已正确配置,但
#没有密钥,2表示SSH_AUTH_SOCK不合法
if [ $? -lt 2 ]; then
foundagent=1
break
fi
done
# If no ssh-agent process was found, create a new one
#如果找不到ssh代理进程,请创建一个新进程
if [ "${foundagent}" -eq 0 ]; then
source <(ssh-agent)
fi
# source .bashrc if we're on a tty
#如果我们在tty上
test -t 0 && source ~/.bashrcThe relevant points are:
- I set up
PATHcorrectly for my locally installed and Go programs - I find any existing
ssh-agentprocess that can be connected to - I start an
ssh-agentprocess if there is no connectable process running - if stdin is a TTY then I source
~/.bashrc 我为本地安装的Go程序正确设置了路径我发现任何现有的SSH代理进程都可以连接到如果没有可连接的进程正在运行,则启动ssh代理进程如果stdin是TTY,那么我执行 source ~/.bashrc命令
The code that I have for detecting an SSH agent is not comprehensive; it assumes that you’re using the actual ssh-agent program that puts agent sockets in a predictable place. If you want something that handles more edge cases (e.g. OS X or the GNOME keyring) Wayne Walker has a project on Git Hub called ssh-find-agent which can handle those cases (but is a lot more complicated).
我用于检测SSH代理的代码并不全面;它假设您使用的是实际的SSH代理程序,该程序将代理套接字放在可预测的位置。如果你想要处理更多的边缘案例(例如OS X或GNOME keyring),那么Wayne Walker在Git Hub上有一个名为ssh find agent的项目,它可以处理这些案例(但是要复杂得多)。
If you paid close attention you may have noticed that no SSH keys are automatically loaded. You can sort of do this with pam_ssh or gnome-keyring but AFAIK neither supports the new SSH protocol 2 private keys (i.e. as generated by ssh-keygen -o), and gnome-keyring has other bugs that I’ve blogged about earlier (e.g. you can’t remove keys from it).
如果您密切注意,您可能已经注意到没有SSH密钥被自动加载。可以用pam_ssh或gnome keyring来实现这一点,但是AFAIK既不支持新的ssh协议2私钥(即由ssh keygen-o生成的私钥),而且gnome keyring还有我之前在博客中提到的其他bug(例如,您不能从中删除密钥)。
I also want my SSH encryption key to be different from my login password, and AFAIK pam_ssh requires that the two be the same.
我还希望SSH加密密钥与登录密码不同,AFAIK pam_SSH要求两者相同。
Instead what I do is have some wrapper methods in my ~/.bashrc that load keys into my ssh-agent the first time the key is used. The relevant code from my ‘~/.bashrc` file is like:
相反,我所做的是在~/.bashrc中使用一些包装器方法,在第一次使用密钥时将密钥加载到ssh代理中。我的'~/.bashrc'文件中的相关代码如下:
ensure_ssh() {
/usr/bin/ssh-add -l &>/dev/null || /usr/bin/ssh-add
}
ssh() {
ensure_ssh
/usr/bin/ssh "$@"
}
rsync() {
ensure_ssh
/usr/bin/rsync "$@"
}
unset SSH_ASKPASSThe first time I run ssh or rsync I’m prompted for a key and then it is loaded into my agent. I also unset SSH_ASKPASS as I dislike the graphical SSH password manager that GNOME sets during login.
第一次运行ssh或rsync时,系统会提示输入密钥,然后将其加载到我的代理中。我还设置SSH_ASKPASS,因为我不喜欢GNOME在登录期间设置的图形SSH密码管理器。
