Monday, January 22, 2007

BASH Hacks: Scripting With SSH

Backup scripts are key to any setup, and the bulk of the scripting that most systems administrators end up writing are backup scripts. It's nice to do a tar or rsync type backup locally, but it is much nicer to do a tar or rsync backup to a remote machine. To do this securely it would be really nice if you could use ssh in a script, but for automatic scripts this becomes problematic as you are challenged for a password by ssh. This post will walk you through how to set up a pair of dsa keys in order to allow you to automate your remote backups. Having said that, this will have very little to do with actual scripting, and everything to do with configuring SSH properly for id_dsa keys. As per most things on this blog, this has been tested on Debian and Ubuntu Linux and Mac OS X, i doubt very much that this will work for Windows, but if it does it would be some other way.

To start, you'll need to generate a master key. To do this you'll need to use the ssh-keygen utility:

matt@$ ssh-keygen -t dsa -b 2048 -f ~/.ssh/id_dsa

This will generate a 2048 bit dsa key pair and put it into two files: id_dsa which is your private key, and which is your public key. You'll need to take the public key and put it into a file called authorized_keys:

matt@$ touch ~/.ssh/authorized_keys
matt@$ chmod 600 ~/.ssh/authorized_keys
matt@$ cat ~/.ssh/ >> ~/.ssh/authorized_keys

You'll then need to edit the /etc/ssh/ssh_config file and uncomment the following line:

# IdentityFile ~/.ssh/id_dsa

If you don't feel like opening the file you could use sed . . . :

matt@$ sudo sed 's/^\#\ IdentityFile\ \~\/\.ssh\/id_dsa$/IdentityFile \~\/\.ssh\/id_dsa/g' /etc/ssh/ssh_config > /etc/ssh/ssh_config

We now need to upload the authorized_keys file to the server that you will be connecting to. Every server you will connect to will need this authorized_keys file, and each client you will connect from will need the id_dsa and keys:

sftp > mkdir .ssh/
sftp > put ~/.ssh/authorized_keys .ssh/authorized_keys

Once you've done this, than you will be able to connect via SSH or SFTP without having to authtenticate via a password challenge. You can test this by trying to ssh or sftp to your server:

matt@$ ssh <Server FQDN or IP>
matt@$ sftp <Server FQDN or IP>

If you are logged directly into the server without a password prompt, then you have succeeded. If not, you may not be able to authenticate via dsa key pair to your SSH server, though this is turned on by default. If you are unable you should check the /etc/ssh/sshd_config file on your SSH server to see if dsa key pair verification is enabled.

To use SSH in a script now, you just need to know how to execute commands remotely with SSH from a BASH script. To do this you merely need to use your standard ssh command followed by the command(s) you wish to execute in quotes:

ssh <Server FQDN or IP> "command1; command2; command3;"

For SFTP it gets a little more complicated, as SFTP requires the use of a batch file to execute commands. Create a batch file with the list of commands you want to execute, one command per line:

put /path/to/file
get /path/to/file
lcd /local/path/change/
cd /remote/path/change/
put file
get file

The line bye at the end will terminate the SFTP session. To execute a batch file with SFTP use the -b option like so:

sftp -b /path/to/batchfile.bat <Server FQDN or IP>


No comments: