All geek questions in one place

Cannot get bash script to respond to pending prompt

My access to ssh is limited by the Google Authenticator authentication code hint. I would like to have a script that programmatically responds to this prompt.

Context

  • The variable ($ 1) is correctly passed to the script - this is the confirmation code.
  • The sshfs command works in the terminal.
  • A Verification code:space appears on the command line and a key symbol at the end.

[EDIT] To make sure we don’t get into the security discussion here, please note that, of course, I also use SSH keys, as well as this Google Authenticator . Since the authentication code expires every x seconds , it does not matter that others can intercept it.

Result

The drive is mounted (I see it with df -h), but it's empty ... Does it look the same behavior as with the wrong Verification code, or maybe it does not have time to execute?

Shell script :

    #!/bin/bash

    expect_sh=$(expect -c "
        spawn /usr/local/bin/sshfs username@123.123.1.123:/path/to/folder/RAID1 /Users/username/Desktop/RAID1 -o defer_permissions -o volname=RAID1
        expect \"Verification code:\"
        send \"$1\r\";
    ")

    echo "$expect_sh"

thank

+4
source share
3 answers

I'm afraid I have to answer no.

There are some problems:

  • Having a password, the argument can show your password to other users with a simple

    ps axw

  • Having a password stored in a variable can open your password to other users with a simple

    ps axeww

  • Passport passing through STDINcan be easily tracked.

For this and many other reasons ssh(s sftp) refuse to pass secrets through arguments, variables or STDIO.

, ( TTY X DISPLAY).

, expect ssh.

.

ssh, :

ssh-keygen -b 4096
Enter file in which to save the key (/home/user/.ssh/id_rsa): 
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:q/2fX/Hello/World/Lorem/Ipsum/Dolor/Sit/Amet user@localhst
The key randomart image is:
+---[RSA 4096]----+
|          .=o=E.o|
|      .. o= o    |
|     o+ +=...    |
|     .o+ o+o.    |
|   . +.oS.oo     |
|  . *.= .  ...   |
|   o =.     oo.  |
|  ...        +o. |
| .ooo       oooo.|
+----[SHA256]-----+

/home/user/.ssh/id_rsa.pub authorized_keys , ( $HOME/.ssh/ /etc), , sshd.conf ).

+3

, , , expect .

echo, , , .

expect script. , , , , -

#!/bin/bash

t=$(mktemp -t gauthssh.XXXXXXXXXX) || exit
trap 'rm -f "$t"' EXIT ERROR INT HUP TERM  # clean up temp file when done
expect -c "
    spawn /usr/local/bin/sshfs username@123.123.1.123:/path/to/folder/RAID1 /Users/username/Desktop/RAID1 -o defer_permissions -o volname=RAID1
    expect \"Verification code:\"
    send \"$1\r\";
" | tee "$t"
expect_sh=$(<"$t")
+2

(1)

script . , .

#!/bin/sh

screen -d -m -S sshtest sh -c "ssh -l postgres localhost id > output"

pass="77c94046"
ret="$(printf '\n')"

while true; do
        screen -S sshtest -X hardcopy
        grep -q 'password:' hardcopy.0 && break
        sleep 1
done

grep -v '^$' hardcopy.0
echo -n "$passenter" | xxd
screen -S sshtest -X stuff "$pass"
screen -S sshtest -X stuff "$(printf '\r')"
sleep 1
cat output

The idea is to set up a screen with your command, which redirects its output to a local file. Then you take the screen capture in a loop and find the expected prompt with grep. Once you find it, use the "stuff" command on the screen to enter your password in the terminal input (i.e. the pty screen). Then you will wait a bit and if necessary. This is just a proof of concept code, a reliable solution will make more mistakes and cleanup, and wait for the screen to actually exit.

0
source

Source: https://habr.com/ru/post/1693579/

More articles:


All Articles