我正在使用Fabric 2.4.0进行入门,但我无法找到一种优雅且安全的方法来解密我的SSH密钥并将其传递给Fabric。我的代码如下:
#!/usr/bin/env python3
"""fabfile"""
from fabric import Connection
c = Connection('user@ip.address')
result = c.run('uname -s')
在这个简单的例子中,运行
python fabfile.py
时,我遇到了错误:File "/Users/user.name/GitHub/app_name/fabfile.py", line 6, in <module>
result = c.run('uname -s')
File "<decorator-gen-3>", line 2, in run
File "/Users/user.name/anaconda/envs/virtual_env/lib/python3.6/site-packages/fabric/connection.py", line 29, in opens
self.open()
File "/Users/user.name/anaconda/envs/virtual_env/lib/python3.6/site-packages/fabric/connection.py", line 615, in open
self.client.connect(**kwargs)
File "/Users/user.name/anaconda/envs/virtual_env/lib/python3.6/site-packages/paramiko/client.py", line 437, in connect
passphrase,
File "/Users/user.name/anaconda/envs/virtual_env/lib/python3.6/site-packages/paramiko/client.py", line 749, in _auth
raise saved_exception
File "/Users/user.name/anaconda/envs/virtual_env/lib/python3.6/site-packages/paramiko/client.py", line 720, in _auth
filename, pkey_class, passphrase
File "/Users/user.name/anaconda/envs/virtual_env/lib/python3.6/site-packages/paramiko/client.py", line 571, in _key_from_filepath
key = klass.from_private_key_file(key_path, password)
File "/Users/user.name/anaconda/envs/virtual_env/lib/python3.6/site-packages/paramiko/pkey.py", line 206, in from_private_key_file
key = cls(filename=filename, password=password)
File "/Users/user.name/anaconda/envs/virtual_env/lib/python3.6/site-packages/paramiko/rsakey.py", line 55, in __init__
self._from_private_key_file(filename, password)
File "/Users/user.name/anaconda/envs/virtual_env/lib/python3.6/site-packages/paramiko/rsakey.py", line 175, in _from_private_key_file
data = self._read_private_key_file("RSA", filename, password)
File "/Users/user.name/anaconda/envs/virtual_env/lib/python3.6/site-packages/paramiko/pkey.py", line 279, in _read_private_key_file
data = self._read_private_key(tag, f, password)
File "/Users/user.name/anaconda/envs/virtual_env/lib/python3.6/site-packages/paramiko/pkey.py", line 329, in _read_private_key
raise PasswordRequiredException("Private key file is encrypted")
paramiko.ssh_exception.PasswordRequiredException: Private key file is encrypted
- 如何让Fabric和paramiko在运行上述fabfile时要求我输入加密密码?
- 使用
python fabfile.py
语法来运行上述命令是可接受的吗? - 2018年自动将SSH密钥从用户计算机传递到脚本的最佳安全实践是什么?使用
os.environ()
可接受吗?
我在身份验证文档中看到,Fabric指出:connect_kwargs.passphrase
配置选项是提供自动使用的密码短语的最直接方法。
但紧接着它说:
对于这种类型的材料,使用实际的磁盘配置文件并不总是明智的,但请记住,配置系统能够从其他来源加载数据,例如您的shell环境或任意远程数据库。
从安全角度考虑,我担心设置错误。使用环境变量传递ssh密码短语是否足够安全?如果可以,请问一个工作代码片段是什么样的,以便与加密的SSH密钥一起使用此命令?
#!/usr/bin/env python3
"""fabfile"""
from fabric import Connection
c = Connection('user@ip.address')
result = c.run('uname -s')
fabric 2.7.1
版本中,这个答案会导致一个SSHException: Invalid key
错误。可以通过将'passphrase': ...
更改为'password': ...
来避免此错误 :) - Cole Robertson