0

I am working on recon for a set of systems my company is taking over and they use a different authentication method than we do. Specifically we use AD auth and a jump server to access systems where they use a mix of Keys, passphrases and others for various systems.

For systems that use an SSH key I am trying to write a script that allows me to automate a login and run a command to retrieve data. My key has a password on it and thus I am trying to leverage ssh-agent to allow my script the ability to authenticate to the systems with little to no input.

So far it seems the issue is when I run something like the following, ssh-agent either A.) Dies and ends before my for loop, or B.) prints the commands for environment variables and doesn't pull them into the scope.

eval ssh-agent
ssh-add ~/.ssh/${USER}_mvc

for i in `cat ${HOSTLIST}`
do
     ssh -l ${USER} ${i} -t 'uname -r' 
     &>${OUTDIR}/${i}.keyauthcollector
done

I know I'm missing something to pull in the variables SSH Agent generates but I can't seem to find it and of course all the scripts I find when searching google for SSH-Agent scripting help are looking to make ssh-agent run for your current session not a script.

Ryan Smith
  • 43
  • 2
  • 8

3 Answers3

1

Starting an ssh-agent from outside the script is what I would also recommend, that way your script runs without needing a passphrase.

But if you want to start an agent for your script, the way to do it is

eval $(ssh-agent)

After that, you can add keys to the agent and use the agent for login.

RalfFriedl
  • 3,108
  • 4
  • 13
  • 17
1

The man page for ssh-agent explains what was missing:

There are two main ways to get an agent set up:

The first is that the agent starts a new subcommand into which some environment variables are exported, eg ssh-agent xterm &.

The second is that the agent prints the needed shell commands (either sh(1) or csh(1) syntax can be generated) which can be evaluated in the calling shell, eg eval ssh-agent -s for Bourne-type shells such as sh(1) or ksh(1) and eval ssh-agent -c for csh(1) and derivatives.

The first option would be to remove the eval ssh-agent and call ssh-agent your-script instead. The second option is to add the missing $( ... ) to capture ssh-agent's output as input for eval, as explained in RalfFriedl's answer.

Community
  • 1
Henk Langeveld
  • 1,314
  • 10
  • 25
  • fantastic, I have no clue how I misinterpreted that when I was reading through. Would it be wrong to assume it maybe better, if I was trying to write a script including the ssh-agent that it may be best to define a function earlier in the script then do `ssh-agent `? – Ryan Smith Sep 16 '18 at 14:44
  • 1
    I like your thinking, but alas, ssh-agent is a separate program and would have no visibility of that function. – Henk Langeveld Sep 16 '18 at 15:12
0

After some checking and rechecking I seem to have found a solution but I am still interested in making this work in script. I was able to get the script to work by deploying ssh-agent and ssh-add before running my script and removing all mentions of ssh-agent related commands (specifically lines 1 & 2 in my example). SSH uses the agent variables set by me outside of the script and successfully authenticates with the key.

Downside: I still don't know how to make it create the ssh-agent session within the shell script and continue to use that agent session with the for loop.

Ryan Smith
  • 43
  • 2
  • 8