NAVIGATION
CATEGORIES
REFERRENCE
LINKS
using expect with ssh
7 answers - 430 bytes -
Hi - I have a large number of machines to manage and historically
have used an expect script that drives ssh to connect to the boxes
to do things.
I am looking either to make it better or scrap it for a better
replacement
that a wider admin community uses.
If you know of such a script that drives ssh using expect and works
well,
please let me know.
Thanks,
StuartNo.1 | | 411 bytes |
| 
In comp.os.linux.misc cracraft@cox.net <cracraft@cox.net>:
Hi - I have a large number of machines to manage and historically
have used an expect script that drives ssh to connect to the boxes
to do things.
Using expect with ssh is a waste of time and insecure, ssh allows
to use ssh-agent and agent forwarding to manage logins.
See: http://www.snailbook.com/faq/
Good luckNo.2 | | 606 bytes |
|
cracraft@cox.net wrote:
Hi - I have a large number of machines to manage and historically
have used an expect script that drives ssh to connect to the boxes
to do things.
I am looking either to make it better or scrap it for a better
replacement
that a wider admin community uses.
If you know of such a script that drives ssh using expect and works
well,
please let me know.
Thanks,
Stuart
We do remote *n?x support with ssh. CLI only.
We use kermit scripts for connections and for file transfer over ssh.
RegardsDan.No.3 | | 827 bytes |
| >Using expect with ssh is a waste of time and insecure, ssh allows
>to use ssh-agent and agent forwarding to manage logins.
I tend to disagree on this. To save typing the repetitive hostname/IP
and usrname, I use ssh-agent to start an expect script, which in turn
spawns ssh-add (user will be prompted for passphrase) and then spawns
ssh to connect to the remote host.
I don't think it'll in anyway be less secure than typing all the
commands in manually.
course, if you want to fully automate the script, you can put your
passphrase in the expect script - this obviously defeats the purpose of
ssh and therefore not recommended. But if you know the risk and use it
appropriately, it can be a time saver.
/Why TeaNo.4 | | 759 bytes |
| In comp.os.linux.misc Why Tea <ytlim1@gmail.com>:
>>Using expect with ssh is a waste of time and insecure, ssh allows
>>to use ssh-agent and agent forwarding to manage logins.
I tend to disagree on this. To save typing the repetitive hostname/IP
and usrname, I use ssh-agent to start an expect script, which in turn
spawns ssh-add (user will be prompted for passphrase) and then spawns
ssh to connect to the remote host.
Well, but then you failed to understand how ssh-agent and agent
forwarding works, you don't need to enter the passphrase on each
login, only once and ssh-agent will keep it in memory. That's the
purpose of it.
[]No.5 | | 1505 bytes |
| >Well, but then you failed to understand how ssh-agent and agent
>forwarding works, you don't need to enter the passphrase on each
>login, only once and ssh-agent will keep it in memory. That's the
>purpose of it.
Ah, I see what you meant. ssh-agent was designed for exactly what you
mentioned. In an Expect script, I do not exactly make use of that
feature (ssh-agent terminates as Expect exits). As mentioned before:
ssh-agent -Expect script -ssh-add (will prompt for passphrase)
-ssh -l usrname
automatically
-set Clearcase view or
something automatically
-run applications
automatically
-get into interactive mode
for user to use shell
The whole thing can be wrapped in a shell script (e.g. ssh.sh). Now
when ssh logs off due to inactivities. All you need to do is to run
ssh.sh and enter the passphrase again; the passphrase can be put into
the Expect script (unsecure of course!) for 100% automatic operation.
The normal manual usage is probably something like:
ssh-agent xterm -ssh-add (add passphrase)
-ssh -l usrname
-usr is now connected to the remote host
-run apps and do work
If ssh logs off, run ssh -l again (no
passphrase required)
I think Expect can definitely make life a lot easier WITHUT
jeapodizing the security ssh provides. If you compare the two methods
above, perhaps the Expect way is more secure?No.6 | | 2036 bytes |
| In comp.os.linux.misc Why Tea <ytlim1@gmail.com>:
>>Well, but then you failed to understand how ssh-agent and agent
>>forwarding works, you don't need to enter the passphrase on each
>>login, only once and ssh-agent will keep it in memory. That's the
>>purpose of it.
Ah, I see what you meant. ssh-agent was designed for exactly what you
mentioned. In an Expect script, I do not exactly make use of that
feature (ssh-agent terminates as Expect exits). As mentioned before:
ssh-agent -Expect script -ssh-add (will prompt for passphrase)
-ssh -l usrname
automatically
-set Clearcase view or
something automatically
-run applications
automatically
-get into interactive mode
for user to use shell
The whole thing can be wrapped in a shell script (e.g. ssh.sh). Now
when ssh logs off due to inactivities. All you need to do is to run
ssh.sh and enter the passphrase again; the passphrase can be put into
the Expect script (unsecure of course!) for 100% automatic operation.
This is the point, if you put the passphrase into the script you
can use a key without passphrase, since you don't have more
security.
The normal manual usage is probably something like:
ssh-agent xterm -ssh-add (add passphrase)
-ssh -l usrname
-usr is now connected to the remote host
-run apps and do work
If ssh logs off, run ssh -l again (no
passphrase required)
I think Expect can definitely make life a lot easier WITHUT
jeapodizing the security ssh provides. If you compare the two methods
above, perhaps the Expect way is more secure?
If you don't put the passphrase into the script then you should
be fine, but you are certainly over complicating things and not
using the advantages of ssh-agent. You can have all security and
comfort if you search for a package called keychain and use it.
Good luckNo.7 | | 795 bytes |
| >If you don't put the passphrase into the script then you should
>be fine, but you are certainly over complicating things and not
>using the advantages of ssh-agent. You can have all security and
I realize this. But that's the only way I could make Expect to work
with ssh. The purpose of the script is NT in managing keys, but to
make life a little easier for those of us who need to ssh into a remote
and do work. The convenience of the script is to automatically start
any number of apps after logging in.
>comfort if you search for a package called keychain and use it.
I haven't heard of keychain, thanks for mentioning it. Will look
further into it.
QUESTION ON "Unix/Linux"
- argv getting corrupt because of getenv issues?
- if and/or Conditional statement
- Display a block of lines?
- Grabing input from a keyboard while reading from a file
- newbie: why .bash_history is empty
- Check empty folder
- Create libFOO.a from libFOO.so?
- Invoking Multiple threads
- failed to load fglrx driver
- how to get grub back on mbr after windows has overwritten it
- getting a string value in to array
- NVidia display driver installation
- Alias to execute scripts with extension?
- removing duplicate fields within a column... should be pretty simple
- A potentially annoying pair of newbie questions
- urgent!thanks
- Linux implementation of FAT-- where to find?
- search and replace end of line?
- how do I connect Debian to Cox Cable modem successfully
- How to attach a file to the unix mailx