How can I automate the entering of password in Perl?
code:
my $makecmd .= system "ssh remotehost;";
system( "$makecmd" );
output:
Enter passphrase for key '~/.ssh/id_rsa':
How can I automate the entering of password in Perl?
code:
my $makecmd .= system "ssh remotehost;";
system( "$makecmd" );
output:
Enter passphrase for key '~/.ssh/id_rsa':
You can use an SSH agent to store the passphrase in memory. Although this approach is more cumbersome than using an unencrypted key, it is slightly more secure. There is an excellent comparison of the two methods in the O'Reilly book SSH, The Secure Shell: The Definitive Guide under chapter 11.1, Unattended SSH: Batch or cron Jobs.
The big advantage of using an unencrypted (passphrase-less) key is ease of configuration. To generate a key with an empty passphrase or to set the passphrase to nothing on an existing key, run
ssh-keygen -f ~/.ssh/id_rsa -p
And that's it, no more configuration required. The big drawback to this is that your private key is now sitting on your filesystem in plain text.
The configuration process for an SSH agent is more involved and depends on which agent you use. Chapter 6.3 of the O'Reilly book, SSH Agents, and the IBM developerWorks article Getting started with SSH security and configuration describe how to configure ssh-agent
, the default agent included with OpenSSH. The archlinux wiki page on SSH Keys also describes other agents like GNOME Keyring and pam_ssh.
Let's look at the set-up process for ssh-agent
. When you run the command
ssh-agent
it not only starts the agent, but also spits out shell commands for setting some environment variables. In a Bourne-style shell, the output looks like this:
$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-barrett/ssh-3654-agent; export SSH_AUTH_SOCK;
SSH_AGENT_PID=3655; export SSH_AGENT_PID;
echo Agent pid 3655;
These environment variables tell your shell how to access the agent. Any scripts that use the agent will need these environment variables to be set. You can save the shell commands to a file for later use when you first invoke the agent:
$ ssh-agent | head -2 > ~/agent-info
Next you need to add your private key to the agent:
$ source ~/agent-info
$ ssh-add ~/.ssh/id_rsa
Need passphrase for ~/.ssh/id_rsa
Enter passphrase: **************
Finally, you need to make sure that the appropriate environment variables are set when your Perl script is invoked. One way to do this would be to write a wrapper script:
#!/bin/sh
source ~/agent-info
/path/to/perl/script "$@"
As long as the agent is running, your script can use the private key without having to enter the passphrase. Note that if only one uid will be using the agent, it would be easiest to start the agent under that uid:
$ su <script_user> ssh-agent ...
One drawback to using an agent is that you will have to manually restart the agent and re-enter your passphrase on server reboot. This is the price you pay for the (arguably marginal) additional security you get from using an encrypted key.
Net::OpenSSH supports keys with pass-phrases:
use Net::OpenSSH;
my $ssh = Net::OpenSSH->new($host, passphrase => $passphrase);
$ssh->system($makecmd);
In any case, including the pass-phrase in the scripts defeats its purpose, mostly.
You could use Expect to do this. From this page: http://metacpan.org/pod/Net::SSH::Expect
Using passpharse:
# Starting ssh without password
# 1) run the constructor
my $ssh = Net::SSH::Expect->new (
host => "myserver.com",
user => 'bnegrao',
raw_pty => 1
);
# 2) now start the ssh process
$ssh->run_ssh() or die "SSH process couldn't start: $!";
Using password:
use Net::SSH::Expect;
# Making an ssh connection with user-password authentication
# 1) construct the object
my $ssh = Net::SSH::Expect->new (
host => "myserver.com",
password=> 'pass87word',
user => 'bnegrao',
raw_pty => 1
);
# 2) logon to the SSH server using those credentials.
# test the login output to make sure we had success
my $login_output = $ssh->login();
if ($login_output !~ /Welcome/) {
die "Login has failed. Login output was $login_output";
}