I'm trying to get an ansible script to prompt the user. I have the following script:
- name: Generate a new SSH Key
shell: ssh-keygen -t rsa -b 4096 -C {{email_address}}
When I run from command line, it ask for a passphrase and file location. When I run from the ansible, it uses the default values. How do I get it to pause, so that it asks the user.
You have a few options:
Write an Expect script, copy it to the destination machine and execute it
or
Use Ansible's Expect module
- expect:
command: ssh-keygen -t rsa -b 4096 -C {{email_address}}
responses:
'Enter file in which .*': '/home/gibson/.ssh/id_rsa'
or
Specify non-interactive ssl-keygen
- shell: ssh-keygen -f myfile.rsa -t rsa -b 4096 -C {{email_address}} -N ''
or
Use Ansible's vars_prompt to prompt for the value and pass it to the command
vars_prompt:
- name: "key_file_name"
prompt: "Enter file in which to save the key: "
...
...
tasks:
- shell: ssh-keygen -f {{key_file_name}} -t rsa -b 4096 -C {{email_address}} -N ''
Related
I'm trying to run a script on a remote server with either password credentials or .pem key access and I'm getting errors no matter which solution I've found etc.
bash script content:
#!/bin/bash
sudo fdisk -l
ssh -T -i "~/.ssh/keys/key.pem" ubuntu#host "sudo bash <(wget -qO- http://host.com/do.sh)"
Error: bash: /dev/fd/63: No such file or director
ssh user#host.com 'echo "password" | sudo bash <(wget -qO- http://www.host.io/do.sh)'
Error: sudo: a password is required
ssh -t user#host.com "echo password | sudo fdisk -l"
Works but still gives me the password propmt
echo -t pass | ssh user#host "sudo bash <(wget -qO- http://host.com/do.sh)"
echo -tt pass | ssh user#host "sudo bash <(wget -qO- http://host.com/do.sh)"
Error: bash: /dev/fd/63: No such file or directory
// And I also get the password prompt
echo -tT pass | ssh user#host "sudo bash <(wget -qO- http://host.com/do.sh)"
Error: sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required
// And I also get the password prompt
// This works but I still get the password propmt
ssh user#host 'echo "password" | sudo -S sudo fdisk -l'
These are different variations of the supposed solutions from other places.
What I'm trying to do:
Is to run a script from a URL on the remote server while echoing the password to the cmd so I don't get propmt to input the password manually.
To be able to do the same thing above with using the .pem key variant also
For an explanation for commands except the first one, You can't do stdin-redirect a password to ssh if ssh requires interactively. ssh only allows manual typing if you use a password.
Your first error said that bash can't read a file descriptor. So ssh via ~/.ssh/keys/key.pem works. To run the shell command on the fly,
ssh -T -i "~/.ssh/keys/key.pem" ubuntu#host "curl -fsSL http://host.com/do.sh | sudo bash"
Does your script really need to run with sudo??
If not, then try this:
ssh user#host "curl -s -o do.sh 'http://host.com/do.sh'; source do.sh"
Hi i created following script to initialize my storage box to use rsync without password later. Last year it works if i remember correct...
cat .ssh/id_rsa.pub >> .ssh/storagebox_authorized_keys
echo -e "mkdir .ssh \n chmod 700 .ssh \n put $.ssh/storagebox_authorized_keys" \
".ssh/authorized_keys \n chmod 600 .ssh/authorized_keys" | sshpass -p ${storage_password} \
sftp -P ${storage_port} -i .ssh/id_rsa ${storage_user}#${storage_address}
today I get following error:
sshpass: invalid option -- 'i'
but the parameter -i belongs to sftp and not sshpass - is there an possibility to parse the parameters in the correct way?
edit: i switched the position of
-i .ssh/id_rsa ${storage_user}#${storage_address}
and get this error
sshpass: Failed to run command: No such file or directory
edit: it seems like an sftp problem...
after discussion, updating answer to properly support automation
step 1:
create an sftp "batch file" e.g: ~/.ssh/storage-box_setup.sftp
mkdir .ssh
chmod 700 .ssh
put /path/to/authorized_keys_file ".ssh/authorized_keys
chmod 600 .ssh/authorized_keys
/path/to/authorized_keys_file is a file containing public keys of ONLY the keys that should have access to your storage box (.ssh/storagebox_authorized_keys)
step 2:
update automation script command to
sshpass -p <password> -- sftp -P <port> -b ~/.ssh/storage-box_setup.sftp user#host
the -b flag was the answer you needed.
refer: man sftp
-b batchfile
Batch mode reads a series of commands from an input batchfile instead of stdin. Since it lacks user interaction it should be used in conjunction with non-interactive authentication.
--
sshpass -p ${storage_password} -- \
sftp -P ${storage_port} -i .ssh/id_rsa \
${storage_user}#${storage_address}
the -- before sftp is a way to tell sshpass (and most other programs) to stop parsing arguments.
everything after -- is assumed as the last argument, which in the case of sshpass is the command to be executed ssh -i ~/.id_rsa ...
in case you're wondering switching the position of -i tells sshpass to execute -i as a program and hence fails with command not found
I use this command to generate a key:
ssh-keygen -t rsa -b 4096 -C "your_email#example.com"`
However I do not want to save it as a file, instead I would like to copy it to my clipboard so it is ready to be pasted.
How can I do that? How to combine this with some sort of copy to clipboard command?
I tried the following command but it didn't work:
pbcopy ssh-keygen -t rsa -b 4096 -C "your_email#example.com"ssh-keygen -t rsa -b 4096 -C "your_email#example.com"
You should create a script (or a function) to achieve this. Example with a script:
genkey.sh
#!/bin/bash
ssh-keygen -t rsa -b 4096 -C "your_email#example.com" -f $1 && pbcopy < $1.pub
The first command generates a key at the location given in the first argument of the script. The second one, pbcopy, copies the content of the newly-generated public key in your clipboard.
When running the script, feed it the path to the private key you want to generate:
sh genkey.sh ~/.ssh/id_rsa
I need connect to server via ssh and change users' passwords without typing ssh or sudo password.
I found some example but I cannot complete one command.
I found this command for ssh connection without typing password and running sudo command for delete user:
sshpass -p $admin_password ssh -t $admin#$server "echo $admin_password | sudo -S /usr/sbin/userdel -r $usr"
then I found command for change users password:
echo "$usr:$password" | sudo -S /usr/sbin/chpasswd;
Finaly, I want something like this:
sshpass -p $admin_password ssh -t $admin#$server "echo $admin_password | sudo -S echo "$usr:$password" | sudo -S /usr/sbin/chpasswd;"
Do you have any ideas?
Your question is actually going to require 2 things. The command to change a password remotely for a user:
ssh remoteserver 'echo -e "passwdofuser\npasswdofuser" | passwd username'
In order to do that you probably need to be root, or in the sudo config, have "passwd" NOT require a password for your user to run.
visudo
Edit the file:
Cmnd_Alias MYPASSWD = /usr/bin/passwd
yourusername ALL = NOPASSWD: MYPASSWD
That should allow you to ssh in and not have to use a password to run the passwd command.
I would like to create script, which simply runs ssh-keygen -t rsa. But how to pass to it 3 times enter?
Try:
ssh-keygen -t rsa -N "" -f my.key
-N "" tells it to use an empty passphrase (the same as two of the enters in an interactive script)
-f my.key tells it to store the key into my.key (change as you see fit).
The whole thing runs without you needing to supply any enter keys :)
To send enters to an interactive script:
echo -e "\n\n\n" | ssh-keygen -t rsa
a version with passphrase is:
$ ssh-keygen -t rsa -b 4096 -C "comment" -P "examplePassphrase" -f "desired pathAndName" -q
the -q is for silent
Source is http://linux.die.net/man/1/ssh-keygen
Agree with Michel Marro except that it needs some more:
If the file already exists, it will still be interactive asking if it has to overwrite it.
Use the answer of this question.
yes y | ssh-keygen -q -t rsa -N '' >/dev/null
The redirection to null is necessary to silence the overwrite message.
It is recommended to use ed25519 for security and performance.
yes "y" | ssh-keygen -o -a 100 -t ed25519 -C "Bla Bla" -f /mypath/bla -N ""
here
-o OpenSSH key format instead of older PEM (needs OpenSSH 6.5+)
-a Number of primality test while screening DH-GEX candidates
-t Type of key (ed25519, RSA, DSA etc.)
-f /mypath/bla The output file path and name
-N "" Use empty passphase
and yes "y" for no interaction.
It will generate two files
/mypath/bla
/mypath/bla.pub
where the bla file is private and bla.pub is public.
echo -e "\n"|ssh-keygen -t rsa -N ""