User Tools

Site Tools


programming:bash:ssh_connection

Automatic connection to a remote machine using SSH

Introduction

To make an automatic connection to a remote server using certificates with a non-empty passphrase, you have to invoke on your local machine:

ssh-keygen -t rsa

This will produce an ~/.ssh/id_rsa.pub file. If you populate by catting (man cat) the content of this file on a remote machine either in the /root/.ssh/authorized_keys or in the ~/.ssh/authorized_keys file you will get access on this machine by invoking:

ssh user@remoteMachine

and when SSH asks:

Enter passphrase for key '~/.ssh/id_rsa':

fill it with the passphrase chosen during the certificate generation.

To overcome the manual filling of the passphrase, you can use the connect.sh script below which works together with expect (man expect).

To call the script in a simple manner, you can add either in your ~/.bashrc or in your ~/.alias file the alias:

alias remoteMachine="~/connect.sh -t remoteMachine"

so when you invoke “remoteMachine” in a terminal, it will automatically log you into the remote machine.

The .add-rsa expect script

As said before, the main script uses a complementary file wich uses “expect” (Exploring Expect: A Tcl-Based Toolkit for Automating Interactive Programs” by Don Libes, pp. 602, ISBN 1-56592-090-2, O'Reilly and Associates, 1995) to fill in the passphrase.

#! /usr/bin/expect
# Add my rsa passphrase to ssh-agent
 
spawn ssh-add
expect "id_rsa:"
send "Here is your passphrase\n"
expect eof
exit

The connect.sh bash script

Below is the connect.sh file which make an automatic connection to a remote server.

#! /bin/bash
#
# To you use this script, you need to use ssh certificate
# 1) ssh-keygen -t rsa // this will produce a ~/.ssh/id_rsa.pub file
# 2) cat this ~/.ssh/id_rsa.pub into the ~/.ssh/authorized_keys of your targeted machine
# 3) use this script as connect.sh -t myTargetedMachine [ -u aUserName -r anExpectFile]
#
# The expectFile contains the passphrase that you entered in the point 1) above.
 
 
target=""
username=$USERNAME
expectBin="/usr/bin/expect"
expectFile=".add-rsa"
 
function usage(){
	echo "Usage:"
	echo "$0 -t targetHostname [-u username -r expectFile]"
	exit;
}
 
 
while getopts ":r:t:u:" optname
do
	case "$optname" in
		"t")
			target=$OPTARG
			;;
		"u")
			username=$OPTARG
			;;
		"r")
			expectFile=$OPTARG
			;;
		"?")
			echo "Unknown option $OPTARG"
			usage
			;;
		":")
			echo "No argument value for option $OPTARG"
			usage
			;;
		*)
		# Should not occur
			echo "Unknown error while processing options"
			;;
	esac
done
 
 
if [[ $target == "" ]]; then
	usage
fi
 
echo "Connecting to $target as $username..."
 
# Run the ssh-agent
eval `ssh-agent` > /dev/null
#echo "$SSH_AGENT_PID"
 
if [[ ! -x $expectBin ]]; then
	echo "$expectBin either does not exist or is not executable!"
	exit
fi
 
if [[ -x $expectFile ]]; then
	# Use Expect to feed the passphrase to ssh-add
	./$expectFile > /dev/null
	#connect to $target
	ssh $username@$target
else 
	echo "$expectFile either does not exist or is not executable!"
fi
 
# suppress the ssh-agent process
kill -9 $SSH_AGENT_PID
 
# Remaining ssh-agent
echo "List of the remaining ssh-agent:"
ps -u $username | grep "ssh-agent" | awk '{print $1}'
 
#To kill all ssh-agent use this:
#kill -9 `ps -u $USERNAME | grep "ssh-agent" | awk '{print $1}'`
 
echo "End of $target connection... good bye!"
exit 0

You can invoke this script by doing:

./connect.sh -t targetMachine

Notes

In my point of view, it is better to connect to the remote server as a regular user instead of root for security purpose. If you need root access, configure the /etc/sudoers file by invoking visudo (man visudo) so you can selectively grant access to users.

Gateway/Proxy

SQL Server(localhost:3306) ——FW—-GATEWAY(localhost:1212)—FW—-SQL Client(localhost:2424)

On the GATEWAY machine:

ssh -nNf -L 1212:localhost:3306 SQL_Server
ssh -nNf -R 2424:localhost:1212 SQL_Client

Check if the port 2424 is opened on SQL Client machine

# lsof -i :2424
COMMAND  PID   USER   FD   TYPE DEVICE     SIZE/OFF NODE NAME
sshd    5161   me     8u   IPv6 27808583   0t0      TCP localhost:2424 (LISTEN)
sshd    5161   me     9u   IPv4 27808584   0t0      TCP localhost:2424 (LISTEN)

And then, you can access your DB with

mysql -u username -p pw --protocol=TCP --port=1212
programming/bash/ssh_connection.txt · Last modified: 2015/09/21 12:42 by sbolay