这是我的配置:
服务器A:通过ssh触发命令.
ssh user@serverB "sudo -E /path/to/script.sh"
服务器B:执行需要密码短语签名的脚本.
系统信息:Ubuntu 12.04
我在服务器B上设置了gpg-agent,我已将此配置添加到/home/user/.bashrc:
Invoke GnuPG-Agent the first time we login.
# Does `~/.gpg-agent-info' exist and points to gpg-agent process accepting signals?
if test -f $HOME/.gpg-agent-info && \
kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info` 2>/dev/null; then
GPG_AGENT_INFO=`cat $HOME/.gpg-agent-info | cut -c 16-`
else
# No,gpg-agent not available; start gpg-agent
eval `gpg-agent --daemon --write-env-file $HOME/.gpg-agent-info`
fi
export GPG_TTY=`tty`
export GPG_AGENT_INFO
以下是/home/user/.gnupg/gpg-agent.conf中代理的配置:
enable-ssh-support #1 year cache support default-cache-ttl 31536000 default-cache-ttl-ssh 31536000 max-cache-ttl 31536000 max-cache-ttl-ssh 31536000 #debug-all
所以为了使这个工作,我通过ssh连接到serverB:
ssh user@serverB
gpg-agent启动,我手动触发脚本:
sudo -E /path/to/script.sh
然后,gpg-agent提示我要求密码,一旦我设置了密码,我就可以再次运行脚本,并且它正在执行其任务而不需要传递密码.
我的问题是,当我试图远程触发时,例如,途经:
ssh user@serverB "sudo -E /path/to/script.sh"
似乎gpg-agent无法正常工作,因为脚本一直在问我一个密码短语.
编辑:
我已将以下内容添加到/etc/sudoers.d/user,以便在没有sudo密码的情况下远程触发脚本并保留环境变量:
user ALL=(ALL)NOPASSWD:SETENV:/path/to/script.sh
有任何想法吗?
但是当你运行ssh user @ serverB“sudo -E /path/to/script.sh时,你每次都在进行新的登录,我不认为ssh-agent会支持在单独的SSH登录中保存密码.
钥匙串似乎可以满足您的需求:http://www.funtoo.org/Keychain
With keychain,you only need to enter a passphrase once every time your local machine is rebooted. Keychain also makes it easy for remote cron jobs to securely “hook in” to a long running ssh-agent process,allowing your scripts to take advantage of key-based logins.
The current version of keychain supports gpg-agent as well as ssh-agent.
