我可以通过 ssh 转发环境变量吗?
我使用多个不同的服务器,如果能够设置一些环境变量,以便当我通过 SSH 登录时它们在所有服务器上都处于活动状态,这将很有用。问题是,某些变量的内容包含敏感信息(散列密码),所以我不想把它留在 .bashrc 文件中——我只想将它保留在内存中。
我知道您可以使用 SSH 转发 DISPLAY 变量(通过 ForwardX11)或 SSH 代理进程(通过 ForwardAgent),所以我想知道是否有一种方法可以通过 SSH 连接自动转发任意环境变量的内容。理想情况下,我可以在 .ssh/config 文件中设置一些内容,以便它在我需要时自动运行。有什么想法吗?
I work with several different servers, and it would be useful to be able to set some environment variables such that they are active on all of them when I SSH in. The problem is, the contents of some of the variables contain sensitive information (hashed passwords), and so I don't want to leave it lying around in a .bashrc file -- I'd like to keep it only in memory.
I know that you can use SSH to forward the DISPLAY variable (via ForwardX11) or an SSH Agent process (via ForwardAgent), so I'm wondering if there's a way to automatically forward the contents of arbitrary environment variables across SSH connections. Ideally, something I could set in a .ssh/config file so that it would run automatically when I need it to. Any ideas?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
可以,但是需要更改服务器配置。
阅读 sshd_config(5) 中的
AcceptEnv条目 和 ssh_config(5 中的SendEnv)。更新:
您还可以在命令行上传递它们:
关于安全性,请注意,任何有权访问远程计算机的人都将能够看到传递给任何正在运行的进程的环境变量。
如果您想对该信息保密,最好通过
stdin传递它:You can, but it requires changing the server configuration.
Read the entries for
AcceptEnvin sshd_config(5) andSendEnvin ssh_config(5).update:
You can also pass them on the command line:
Regarding security, note than anybody with access to the remote machine will be able to see the environment variables passed to any running process.
If you want to keep that information secret it is better to pass it through
stdin:您无法自动执行此操作(
$DISPLAY除外,您可以使用-X连同您的 Xauth 信息一起转发,以便远程程序实际上可以连接到您的显示器),但您可以使用带有“此处文档”的脚本:未转义的变量将在本地扩展,并将结果传输到远程端。因此
PATH将使用$HOME的远程值进行设置。这是一个安全风险 不要以这种方式传输密码等敏感信息,因为任何人都可以看到同一台计算机上每个进程的环境变量。
You can't do it automatically (except for
$DISPLAYwhich you can forward with-Xalong with your Xauth info so remote programs can actually connect to your display) but you can use a script with a "here document":The unescaped variables will be expanded locally and the result transmitted to the remote side. So the
PATHwill be set with the remote value of$HOME.THIS IS A SECURITY RISK Don't transmit sensitive information like passwords this way because anyone can see environment variables of every process on the same computer.
像这样的东西:
ssh user@host bash -c "set -a; $(env); source thescript.sh"...可能有效(未经测试)
有点黑客,但如果你不能改变服务器配置由于某种原因可能会起作用。
这样做:...
您可能不需要同时使用“set -a”和“source ..”,除非您正在设置环境变量。
Something like:
ssh user@host bash -c "set -a; $(env); source thescript.sh"...might work (untested)
Bit of a hack but if you cannot change the server config for some reason it might work.
This does:...
You probably don't need both "set -a" and "source .. " unless you are setting up environment variables.