Securely scripting a remote machine (was Re: VB or c++ call in script)
Securely scripting a remote machine (was Re: VB or c++ call in script)
- Subject: Securely scripting a remote machine (was Re: VB or c++ call in script)
- From: Sander Tekelenburg <email@hidden>
- Date: Mon, 20 Sep 2004 11:27:24 +0200
At 18:38 -0600 UTC, on 2004/09/19, Johnny AppleScript wrote:
[...]
[ssh-ing into a remote machine through AppleScript]
> For the fun of it though, how about just a simple login and do one thing
> script, just to be sure it can be done purely in AS.
>
> sudo ssh email@hidden <-- login line in terminal
> --> returns call for local admin password; this is where AS breaks down
> unless you pass calls to an actual window in Terminal.app
> [email@hidden's password] <-- now you need to give the password
> for the ssh user login
Make use of ssh's public key cryptography. See man ssh[1]
In practice the user experience is just like that of Keychain. You log in to
places without needing to type a passphrase.
If you want a nice GUI to generate the keypair and act as the authentication
agent, use SSH-Agent, available at <http://www.phil.uu.nl/~xges/ssh/>. It has
served me well since Mac OS X 10.1.
You don't need to understand all the tech details[2]. Just generate a keypair
and copy the public key to the remote machine and have SSH-Agent (or your
preferred alternative) running on the client machine.
This set-up is useful already simply for not having to remember each and
every passphrases of each and every account on each and every remote machine.
But it's also ideal for situations where you want a script to do something on
a remote machine:
do shell script "ssh [username]@[IP];[commands]"
Example:
set remote_address to text returned of (display dialog ¬
"Enter the IP address or domain name of the remote machine" default answer
"")
set user_name to text returned of (display dialog ¬
"Enter the username of " & remote_address default answer "")
try
set log_in to "ssh " & user_name & "@" & remote_address
set remote_command to "; whoami; pwd"
do shell script log_in & remote_command
on error m number n
log {n, m}
end try
That's all. No interactive log-in. No need to store a passphrase inside the
script.
> killall Dock <-- if you can get in, you can kill any app by its exact
> name
I'd start with less aggressive testing methods ;) (Besides, I assume that
process would only be running if there is a graphical session running on the
remote machine.)
> logout <-- always good to logout
In my experience there is no need to explicitly exit. I think do shell script
takes care of that. Maybe Chris Nebel can confirm (or deny :)).
> If the above were somehow able to work via AS without going into a visual
> session in Terminal or writing additional shell scripts, which also require
> compiling, that would be awesome.
Voila ;)
[1] Specifically: "[...] As a third authentication method, ssh supports RSA
based authentication [...]
ssh implements the RSA authentication protocol automatically. The user
creates his/her RSA key pair by running ssh-keygen(1). This stores the
private key in $HOME/.ssh/identity and the public key in
$HOME/.ssh/identity.pub in the user's home directory. The user should then
copy the identity.pub to $HOME/.ssh/authorized_keys in his/her home directory
on the remote machine [...] " and last but not least: "[...] The most
convenient way to use RSA authentication may be with an authentication agent.
See ssh-agent(1) for more information. [...]"
[Note: On my system the files ~/.ssh/identity and ~/.ssh/identity.pub are
called ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub. Seems like this is yet another
outdated man page.]
[2] The only essential bit to understand is that public key crypto means you
work with a "keypair", existing of a secret (aka "private") and a public key.
Those names "secret/private" and "public" are no joke. The public key is for
everybody's eyes. The other is for *nobody's eyes but yours*. (Although
granted, even it is is stolen the thief will still figure out your passphrase
for it.)
--
Sander Tekelenburg, <http://www.euronet.nl/~tekelenb/>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Applescript-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden