SSH passphrase en Cron mediante Expect

Si tenemos la key Ssh protegida mediante passphrase puede resultar un problema al realizar tareas desde Cron, por ejemplo al ejecutar Rsyncs. Una solución rápida a esta problemática es ejecutar un script en Expect al que se le indica la passphrase y ejecuta el Rsync.


La instalación de Expect variará según el sistema operativo utilizado, en FreeBSD tendremos que instalar el paquete binario y generar un enlace simbólico genérico al binario:

pkg install expect
which tclsh8.6
ln -s /usr/local/bin/tclsh8.6 /usr/local/bin/tclsh   

En Gentoo tendremos que compilar e instalar Expect con la use flag doc y descomprimir el binario a un directorio en el path:

echo "dev-tcltk/expect threads -debug doc" > /etc/portage/package.use/expect
emerge -av dev-tcltk/expect
bzip2 -d /usr/share/doc/expect-5.45.4/examples/autoexpect.bz2
cp /usr/share/doc/expect-5.45.4/examples/autoexpect /usr/local/bin/
chmod 700 /usr/local/bin/autoexpect 

Ahora como usuario regular lanzamos expect_autoexpect/autoexpect con el comando que queramos automatizar:

expect_autoexpect /usr/local/bin/rsync -avz --del --rsh='ssh -p22' /home/kr0m/data/ kr0m@

Podemos ver el contenido del script:

cat script.exp
#!/usr/local/bin/expect -f
# This Expect script was generated by autoexpect on Tue Sep 22 18:03:18 2020
# Expect and autoexpect were both written by Don Libes, NIST.
# Note that autoexpect does not guarantee a working script.  It
# necessarily has to guess about certain things.  Two reasons a script
# might fail are:
# 1) timing - A surprising number of programs (rn, ksh, zsh, telnet,
# etc.) and devices discard or ignore keystrokes that arrive "too
# quickly" after prompts.  If you find your new script hanging up at
# one spot, try adding a short sleep just before the previous send.
# Setting "force_conservative" to 1 (see below) makes Expect do this
# automatically - pausing briefly before sending each character.  This
# pacifies every program I know of.  The -c flag makes the script do
# this in the first place.  The -C flag allows you to define a
# character to toggle this mode off and on.

set force_conservative 0  ;# set to 1 to force conservative mode even if
     ;# script wasn't run conservatively originally
if {$force_conservative} {
 set send_slow {1 .1}
 proc send {ignore arg} {
  sleep .1
  exp_send -s -- $arg

# 2) differing output - Some programs produce different output each time
# they run.  The "date" command is an obvious example.  Another is
# ftp, if it produces throughput statistics at the end of a file
# transfer.  If this causes a problem, delete these patterns or replace
# them with wildcards.  An alternative is to use the -p flag (for
# "prompt") which makes Expect only look for the last line of output
# (i.e., the prompt).  The -P flag allows you to define a character to
# toggle this mode off and on.
# Read the man page for more info.
# -Don

set timeout -1
spawn /usr/local/bin/rsync -avz --del {--rsh=ssh -p22} /home/kr0m/data/ kr0m@
match_max 100000
expect -exact "Enter passphrase for key '/home/kr0m/.ssh/id_rsa': "
send -- "PASSWORD\r"
expect eof

En este caso se trata de un script de backup, este script será muy sencillo, tan solo llamará al script en Expect:

vi /home/kr0m/

Asignamos los permisos necesarios al script:

chmod 700 /home/kr0m/

Este script se podrá crontabear sin que pida ninguna passphrase:

crontab -e
* 10 * * * /home/kr0m/
Si te ha gustado el artículo puedes invitarme a un redbull aquí.
Si tienes cualquier pregunta siempre puedes enviarme un Email o escribir en el grupo de Telegram de AlfaExploit.
Autor: kr0m -- 25/09/2020 01:28:50 -- Categoria: Seguridad Backup