I have a script.sh file which checks for loaded SSH agent and adds a key.
If I run this script directly, it works but if I run it via some worker it doesn't unless I do those changes:
This works:
#!/bin/bash -e
printf "<<<<< Start SSH agent and Github deploy key >>>>>\n"
if ps -p $SSH_AGENT_PID > /dev/null
then
printf "<<<<< ssh-agent is already running >>>>>\n"
else
eval `ssh-agent -s`
fi
ssh-add $deploy_key_path
But his doesn't work:
#!/bin/bash -e
if [ $(ps ax | grep [s]sh-agent | wc -l) -gt 0 ] ; then
printf "<<<<< ssh-agent is already running >>>>>\n"
else
eval `ssh-agent -s`
fi
ssh-add $deploy_key_path
The error says ...failed. Exit Code: 2(Misuse of shell builtins).. which happens at the line ssh-add $deploy_key_path
When checking the reserved Bash error codes I see:
2 Misuse of shell builtins empty_function() {} Missing keyword or command
Here is one reasonable way I'd use ssh-agent and ssh-add, minimizing security risks by not keeping keys unlocked more than it is strictly needed within the script.
#!/usr/bin/env sh
# Do not leave key unlocked after execution of this script
trap 'ssh-add -d "$deploy_key_path"' EXIT INT
# If ssh-agent has an auth socket or has a PID
if [ -S "$SSH_AUTH_SOCK" ] || ps -p "$SSH_AGENT_PID" >/dev/null 2>&1; then
printf '<<<<< ssh-agent is already running >>>>>\n'
else
# Do not use back-ticks as it is legacy obsolete
eval "$(ssh-agent -s)"
fi
# Do not leave key unlocked more than 5 minutes
ssh-add -t 600 "$deploy_key_path"
I want to run a .sh file with a systemd service. Let's explain it a little bit. If I go to cd /home/ubuntu I can run ./vnc_startup.sh. This file creates a VNC connection and starts noVNC. Then I go to the browser open the address and login. I can run every command like as example rosrun rviz rviz because I have installed ROS.
If I use this service, it will not work:
cat /etc/systemd/system/novnc.service
[Unit]
After=NetworkManager.service time-sync.target
[Service]
Type=forking
User=ubuntu
Group=ubuntu
WorkingDirectory=/home/ubuntu
TimeoutStartSec=infinity
TimeoutStopSec=infinity
ExecStartPre=/bin/rm -f /home/ubuntu/no_vnc_startup.log
ExecStartPre=/bin/rm -f /home/ubuntu/vnc_startup.log
ExecStartPre=/bin/rm -f /home/ubuntu/wm.log
ExecStartPre=/bin/rm -f /home/ubuntu/wm_startup.log
ExecStart=/bin/bash -c "source /etc/environment; /home/ubuntu/vnc_startup.sh"
ExecStopPost=/bin/rm -f /home/ubuntu/no_vnc_startup.log
ExecStopPost=/bin/rm -f /home/ubuntu/vnc_startup.log
ExecStopPost=/bin/rm -f /home/ubuntu/wm.log
ExecStopPost=/bin/rm -f /home/ubuntu/wm_startup.log
[Install]
WantedBy=multi-user.target
I also tried it with systemctl --user start novnc.service and put the file inside /usr/lib/systemd/user instead of sudo systemctl start novnc.service and /etc/systemd/system/novnc.service.
Following workaround will work in the noVNC environment: I can open a Terminal. I can see ubuntu#hostname:~$. So it seems to be the right user and I am in the right working directory. Before running as example rosrun rviz rviz I have to run sudo su ubuntu. And then it works. If I had run ./vnc_startup.sh instead of running this script with systemd it works directly without the workaround with sudo su ubuntu.
Hard to explain. I hope you can understand me.
systemctl --user show-environment
HOME=/home/ubuntu
LANG=de_DE
LOGNAME=ubuntu
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
SHELL=/bin/bash
USER=ubuntu
XDG_RUNTIME_DIR=/run/user/1001
The command printenv makes clear that maybe the DISPLAY=:0 is missing, so I tried it with adding
export DISPLAY=:0
xset q
And I also added Environment=XAUTHORITY=/home/ubuntu/.Xauthority:
[Unit]
After=NetworkManager.service time-sync.target
[Service]
Type=forking
User=ubuntu
Group=ubuntu
WorkingDirectory=/home/ubuntu
Environment=XAUTHORITY=/home/ubuntu/.Xauthority
TimeoutStartSec=infinity
TimeoutStopSec=infinity
ExecStartPre=/bin/rm -f /home/ubuntu/no_vnc_startup.log
ExecStartPre=/bin/rm -f /home/ubuntu/vnc_startup.log
ExecStartPre=/bin/rm -f /home/ubuntu/wm.log
ExecStartPre=/bin/rm -f /home/ubuntu/wm_startup.log
ExecStart=/bin/bash -c "source /etc/environment; export DISPLAY=:0; xset q; /home/ubuntu/vnc_startup.sh"
ExecStopPost=/bin/rm -f /home/ubuntu/no_vnc_startup.log
ExecStopPost=/bin/rm -f /home/ubuntu/vnc_startup.log
ExecStopPost=/bin/rm -f /home/ubuntu/wm.log
ExecStopPost=/bin/rm -f /home/ubuntu/wm_startup.log
[Install]
WantedBy=multi-user.target
Here my log files:
cat no_vnc_startup.log
New 'shlServer01:1 (ubuntu)' desktop is shlServer01:1
Starting applications specified in /home/ubuntu/.vnc/xstartup
Log file is /home/ubuntu/.vnc/shlServer01:1.log
r settings:
- Listen on :6901
- Flash security policy server
- Web server. Web root: /home/ubuntu/noVNC
- No SSL/TLS support (no cert file)
- proxying from :6901 to localhost:5901
Navigate to this URL:
http://shlServer01:6901/vnc.html?host=shlServer01&port=6901
Press Ctrl-C to exit
192.168.0.6 - - [15/Dec/2021 15:16:56] 192.168.0.6: Plain non-SSL (ws://) WebSocket connection
192.168.0.6 - - [15/Dec/2021 15:16:56] 192.168.0.6: Version hybi-13, base64: 'False'
192.168.0.6 - - [15/Dec/2021 15:16:56] 192.168.0.6: Path: '/websockify'
192.168.0.6 - - [15/Dec/2021 15:16:56] connecting to: localhost:5901
cat vnc_startup.log
Killing Xvnc process ID 63164
Xvnc process ID 63164 already killed
cat wm.log
/usr/bin/startxfce4: X server already running on display :0
xfce4-session: Cannot open display: .
▒xfce4-session --help▒ eingeben, um mehr ▒ber die Verwendung zu erfahren.
cat wm_startup.log
------------------ startup of Xfce4 window manager ------------------
No protocol specified
xset: unable to open display ":0"
No protocol specified
xset: unable to open display ":0"
No protocol specified
xset: unable to open display ":0"
No protocol specified
xrdb: Resource temporarily unavailable
xrdb: Can't open display ':0'
No protocol specified
No protocol specified
/usr/bin/startxfce4: X server already running on display :0
xfce4-session: Cannot open display: .
▒xfce4-session --help▒ eingeben, um mehr ▒ber die Verwendung zu erfahren.
What surprises me is that this is not the error. The error messages also come when I start the script from the terminal and then it works.
The vnc_startup.sh looks like following:
#!/bin/bash
### every exit != 0 fails the script
set -e
## print out help
help (){
echo "
OPTIONS:
-w, --wait (default) keeps the UI and the vncserver up until SIGINT or SIGTERM will received
-s, --skip skip the vnc startup and just execute the assigned command.
example: docker run consol/centos-xfce-vnc --skip bash
-d, --debug enables more detailed startup output
e.g. 'docker run consol/centos-xfce-vnc --debug bash'
-h, --help print out this help
Fore more information see: https://github.com/ConSol/docker-headless-vnc-container
"
}
if [[ $1 =~ -h|--help ]]; then
help
exit 0
fi
# should also source /home/ubuntu/generate_container_user
source /home/ubuntu/.bashrc
# add `--skip` to startup args, to skip the VNC startup procedure
if [[ $1 =~ -s|--skip ]]; then
echo -e "\n\n------------------ SKIP VNC STARTUP -----------------"
echo -e "\n\n------------------ EXECUTE COMMAND ------------------"
echo "Executing command: '${#:2}'"
exec "${#:2}"
fi
if [[ $1 =~ -d|--debug ]]; then
echo -e "\n\n------------------ DEBUG VNC STARTUP -----------------"
export DEBUG=true
fi
## correct forwarding of shutdown signal
cleanup () {
kill -s SIGTERM $!
exit 0
}
trap cleanup SIGINT SIGTERM
## write correct window size to chrome properties
/home/ubuntu/chrome-init.sh
## resolve_vnc_connection
VNC_IP=$(hostname -i)
## change vnc password
echo -e "\n------------------ change VNC password ------------------"
# first entry is control, second is view (if only one is valid for both)
mkdir -p "/home/ubuntu/.vnc"
PASSWD_PATH="/home/ubuntu/.vnc/passwd"
if [[ -f $PASSWD_PATH ]]; then
echo -e "\n--------- purging existing VNC password settings ---------"
rm -f $PASSWD_PATH
fi
if [[ $VNC_VIEW_ONLY == "true" ]]; then
echo "start VNC server in VIEW ONLY mode!"
#create random pw to prevent access
echo $(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 20) | vncpasswd -f > $PASSWD_PATH
fi
echo "ubuntu" | vncpasswd -f >> $PASSWD_PATH
chmod 600 $PASSWD_PATH
## start vncserver and noVNC webclient
echo -e "\n------------------ start noVNC ----------------------------"
if [[ $DEBUG == true ]]; then echo "/home/ubuntu/noVNC/utils/launch.sh --vnc localhost:5901 --listen 6901"; fi
/home/ubuntu/noVNC/utils/launch.sh --vnc localhost:5901 --listen 6901 &> /home/ubuntu/no_vnc_startup.log &
PID_SUB=$!
echo -e "\n------------------ start VNC server ------------------------"
echo "remove old vnc locks to be a reattachable container"
vncserver -kill :1 &> /home/ubuntu/vnc_startup.log \
|| rm -rfv /tmp/.X*-lock /tmp/.X11-unix &> /home/ubuntu/vnc_startup.log \
|| echo "no locks present"
echo -e "start vncserver with param: VNC_COL_DEPTH=24, VNC_RESOLUTION=1280x1024\n..."
if [[ $DEBUG == true ]]; then echo "vncserver :1 -depth 24 -geometry 1280x1024"; fi
vncserver :1 -depth 24 -geometry 1280x1024 &> /home/ubuntu/no_vnc_startup.log
echo -e "start window manager\n..."
/home/ubuntu/wm_startup.sh &> /home/ubuntu/wm_startup.log
## log connect options
echo -e "\n\n------------------ VNC environment started ------------------"
echo -e "\nVNCSERVER started on DISPLAY= :1 \n\t=> connect via VNC viewer with $VNC_IP:5901"
echo -e "\nnoVNC HTML client started:\n\t=> connect via http://$VNC_IP:6901/?password=...\n"
if [[ $DEBUG == true ]] || [[ $1 =~ -t|--tail-log ]]; then
echo -e "\n------------------ /home/ubuntu/.vnc/*:1.log ------------------"
# if option `-t` or `--tail-log` block the execution and tail the VNC log
tail -f /home/ubuntu/*.log /home/ubuntu/.vnc/*:1.log
fi
if [ -z "$1" ] || [[ $1 =~ -w|--wait ]]; then
wait $PID_SUB
else
# unknown option ==> call command
echo -e "\n\n------------------ EXECUTE COMMAND ------------------"
echo "Executing command: '$#'"
exec "$#"
fi
The wm_startup.sh looks like this:
#!/usr/bin/env bash
### every exit != 0 fails the script
set -e
echo -e "\n------------------ startup of Xfce4 window manager ------------------"
### disable screensaver and power management
xset -dpms &
xset s noblank &
xset s off &
/usr/bin/startxfce4 --replace > /home/ubuntu/wm.log &
sleep 1
cat /home/ubuntu/wm.log
And it should not be important but the launch.sh file fom noVNC looks like this:
#!/usr/bin/env bash
# Copyright 2016 Joel Martin
# Copyright 2016 Solly Ross
# Licensed under MPL 2.0 or any later version (see LICENSE.txt)
usage() {
if [ "$*" ]; then
echo "$*"
echo
fi
echo "Usage: ${NAME} [--listen PORT] [--vnc VNC_HOST:PORT] [--cert CERT] [--ssl-only]"
echo
echo "Starts the WebSockets proxy and a mini-webserver and "
echo "provides a cut-and-paste URL to go to."
echo
echo " --listen PORT Port for proxy/webserver to listen on"
echo " Default: 6080"
echo " --vnc VNC_HOST:PORT VNC server host:port proxy target"
echo " Default: localhost:5900"
echo " --cert CERT Path to combined cert/key file"
echo " Default: self.pem"
echo " --web WEB Path to web files (e.g. vnc.html)"
echo " Default: ./"
echo " --ssl-only Disable non-https connections."
echo " "
exit 2
}
NAME="$(basename $0)"
REAL_NAME="$(readlink -f $0)"
HERE="$(cd "$(dirname "$REAL_NAME")" && pwd)"
PORT="6080"
VNC_DEST="localhost:5900"
CERT=""
WEB=""
proxy_pid=""
SSLONLY=""
die() {
echo "$*"
exit 1
}
cleanup() {
trap - TERM QUIT INT EXIT
trap "true" CHLD # Ignore cleanup messages
echo
if [ -n "${proxy_pid}" ]; then
echo "Terminating WebSockets proxy (${proxy_pid})"
kill ${proxy_pid}
fi
}
# Process Arguments
# Arguments that only apply to chrooter itself
while [ "$*" ]; do
param=$1; shift; OPTARG=$1
case $param in
--listen) PORT="${OPTARG}"; shift ;;
--vnc) VNC_DEST="${OPTARG}"; shift ;;
--cert) CERT="${OPTARG}"; shift ;;
--web) WEB="${OPTARG}"; shift ;;
--ssl-only) SSLONLY="--ssl-only" ;;
-h|--help) usage ;;
-*) usage "Unknown chrooter option: ${param}" ;;
*) break ;;
esac
done
# Sanity checks
which netstat >/dev/null 2>&1 \
|| die "Must have netstat installed"
netstat -ltn | grep -qs ":${PORT} .*LISTEN" \
&& die "Port ${PORT} in use. Try --listen PORT"
trap "cleanup" TERM QUIT INT EXIT
# Find vnc.html
if [ -n "${WEB}" ]; then
if [ ! -e "${WEB}/vnc.html" ]; then
die "Could not find ${WEB}/vnc.html"
fi
elif [ -e "$(pwd)/vnc.html" ]; then
WEB=$(pwd)
elif [ -e "${HERE}/../vnc.html" ]; then
WEB=${HERE}/../
elif [ -e "${HERE}/vnc.html" ]; then
WEB=${HERE}
elif [ -e "${HERE}/../share/novnc/vnc.html" ]; then
WEB=${HERE}/../share/novnc/
else
die "Could not find vnc.html"
fi
# Find self.pem
if [ -n "${CERT}" ]; then
if [ ! -e "${CERT}" ]; then
die "Could not find ${CERT}"
fi
elif [ -e "$(pwd)/self.pem" ]; then
CERT="$(pwd)/self.pem"
elif [ -e "${HERE}/../self.pem" ]; then
CERT="${HERE}/../self.pem"
elif [ -e "${HERE}/self.pem" ]; then
CERT="${HERE}/self.pem"
else
echo "Warning: could not find self.pem"
fi
# try to find websockify (prefer local, try global, then download local)
if [[ -e ${HERE}/websockify ]]; then
WEBSOCKIFY=${HERE}/websockify/run
if [[ ! -x $WEBSOCKIFY ]]; then
echo "The path ${HERE}/websockify exists, but $WEBSOCKIFY either does not exist or is not executable."
echo "If you intended to use an installed websockify package, please remove ${HERE}/websockify."
exit 1
fi
echo "Using local websockify at $WEBSOCKIFY"
else
WEBSOCKIFY=$(which websockify 2>/dev/null)
if [[ $? -ne 0 ]]; then
echo "No installed websockify, attempting to clone websockify..."
WEBSOCKIFY=${HERE}/websockify/run
git clone https://github.com/novnc/websockify ${HERE}/websockify
if [[ ! -e $WEBSOCKIFY ]]; then
echo "Unable to locate ${HERE}/websockify/run after downloading"
exit 1
fi
echo "Using local websockify at $WEBSOCKIFY"
else
echo "Using installed websockify at $WEBSOCKIFY"
fi
fi
echo "Starting webserver and WebSockets proxy on port ${PORT}"
#${HERE}/websockify --web ${WEB} ${CERT:+--cert ${CERT}} ${PORT} ${VNC_DEST} &
${WEBSOCKIFY} ${SSLONLY} --web ${WEB} ${CERT:+--cert ${CERT}} ${PORT} ${VNC_DEST} &
proxy_pid="$!"
sleep 1
if ! ps -p ${proxy_pid} >/dev/null; then
proxy_pid=
echo "Failed to start WebSockets proxy"
exit 1
fi
echo -e "\n\nNavigate to this URL:\n"
if [ "x$SSLONLY" == "x" ]; then
echo -e " http://$(hostname):${PORT}/vnc.html?host=$(hostname)&port=${PORT}\n"
else
echo -e " https://$(hostname):${PORT}/vnc.html?host=$(hostname)&port=${PORT}\n"
fi
echo -e "Press Ctrl-C to exit\n\n"
wait ${proxy_pid}
Suggesting to simply your /etc/systemd/system/novnc.service service unit with a single script for ExecStart command and a single script for ExecStop
/etc/systemd/system/novnc.service
[Unit]
After=NetworkManager.service time-sync.target
[Service]
Type=forking
User=ubuntu
Group=ubuntu
WorkingDirectory=/home/ubuntu
Environment=XAUTHORITY=/home/ubuntu/.Xauthority
TimeoutStartSec=infinity
TimeoutStopSec=infinity
ExecStart=/bin/bash -c "/home/ubuntu/servic_vnc_startup.sh"
ExecStop=/bin/bash -c "/home/ubuntu/servic_vnc_shutdown.sh"
[Install]
WantedBy=multi-user.target
/home/ubuntu/servic_vnc_startup.sh
#!\bin\bash
source /home/ubuntu/.bash_profile
source /etc/environment
export DISPLAY=:0
xset q;
rm -f /home/ubuntu/{no_vnc_startup.log,vnc_startup.log,wm.log,wm_startup.log}
/home/ubuntu/vnc_startup.sh
/home/ubuntu/servic_vnc_shutdown.sh
#!\bin\bash
source /home/ubuntu/.bash_profile
source /etc/environment
export DISPLAY=:0
xset q;
pkill -9 -f "/home/ubuntu/vnc_startup.sh"
rm -f /home/ubuntu/{no_vnc_startup.log,vnc_startup.log,wm.log,wm_startup.log}
Debugging
Login as user ubuntu.
Run /home/ubuntu/servic_vnc_startup.sh from command line.
If fails, fix it till it is successful.
Then try running /home/ubuntu/servic_vnc_startup.sh as user noboby:
sudo -u nobody "/home/ubuntu/servic_vnc_startup.sh"
User nobody has no shell and no environment context, as is the systemd service /etc/systemd/system/novnc.service.
If user nobody can run /home/ubuntu/servic_vnc_startup.sh then the /etc/systemd/system/novnc.service service unit can do as well.
Do same testing pattern with /home/ubuntu/servic_vnc_shutdown.sh
Lessons to learn:
Simplify service unit as much as possible.
Pull all scripting to a single shell script. Debug single shell script.
Avoid debugging handling service unit once deployed. Instead debug and modify called script.
Use user nobody user, to debug script to run without environment context and without shell.
I have a sample sh script on my Linux environment, which basically run's the ssh-agent for the current shell, adds a key to it and runs two git commands:
#!/bin/bash
eval "$(ssh-agent -s)"
ssh-add /home/duvdevan/.ssh/id_rsa
git -C /var/www/duvdevan/ reset --hard origin/master
git -C /var/www/duvdevan/ pull origin master
Script actually works fine, but every time I run it I get a new process so I think it might become a performance issue and I might end up having useless processes out there.
An example of the output:
Agent pid 12109
Identity added: /home/duvdevan/.ssh/custom_rsa (rsa w/o comment)
Also, along with all this, is it possible to find an existing ssh-agent process and add my keys into it?
No, really, how to check if ssh-agent is already running in bash?
Answers so far don't appear to answer the original question...
Here's what works for me:
if ps -p $SSH_AGENT_PID > /dev/null
then
echo "ssh-agent is already running"
# Do something knowing the pid exists, i.e. the process with $PID is running
else
eval `ssh-agent -s`
fi
This was taken from here
Also, along with all this, is it possible to find an existing ssh-agent process and add my keys into it?
Yes. We can store the connection info in a file:
# Ensure agent is running
ssh-add -l &>/dev/null
if [ "$?" == 2 ]; then
# Could not open a connection to your authentication agent.
# Load stored agent connection info.
test -r ~/.ssh-agent && \
eval "$(<~/.ssh-agent)" >/dev/null
ssh-add -l &>/dev/null
if [ "$?" == 2 ]; then
# Start agent and store agent connection info.
(umask 066; ssh-agent > ~/.ssh-agent)
eval "$(<~/.ssh-agent)" >/dev/null
fi
fi
# Load identities
ssh-add -l &>/dev/null
if [ "$?" == 1 ]; then
# The agent has no identities.
# Time to add one.
ssh-add -t 4h
fi
This code is from pitfalls of ssh agents which describes both the pitfalls of what you're currently doing, of this approach, and how you should use ssh-ident to do this for you.
If you only want to run ssh-agent if it's not running and do nothing otherwise:
if [ $(ps ax | grep [s]sh-agent | wc -l) -gt 0 ] ; then
echo "ssh-agent is already running"
else
eval $(ssh-agent -s)
if [ "$(ssh-add -l)" == "The agent has no identities." ] ; then
ssh-add ~/.ssh/id_rsa
fi
# Don't leave extra agents around: kill it on exit. You may not want this part.
trap "ssh-agent -k" exit
fi
However, this doesn't ensure ssh-agent will be accessible (just because it's running doesn't mean we have $SSH_AGENT_PID for ssh-add to connect to).
If you want it to be killed right after the script exits, you can just add this after the eval line:
trap "kill $SSH_AGENT_PID" exit
Or:
trap "ssh-agent -k" exit
$SSH_AGENT_PID gets set in the eval of ssh-agent -s.
You should be able to find running ssh-agents by scanning through /tmp/ssh-* and reconstruct the SSH_AGENT variables from it (SSH_AUTH_SOCK and SSH_AGENT_PID).
ps -p $SSH_AGENT_PID > /dev/null || eval "$(ssh-agent -s)"
Single line command. Run for the first time will start ssh-agent. Run for the second time will not start the ssh-agent. Simple and Elegant Mate !!!
Using $SSH_AGENT_PID can only test the ssh-agent but miss identities when it is not yet added
$ eval `ssh-agent`
Agent pid 9906
$ echo $SSH_AGENT_PID
9906
$ ssh-add -l
The agent has no identities.
So it would be save to check it with ssh-add -l with an expect script like example below:
$ eval `ssh-agent -k`
Agent pid 9906 killed
$ ssh-add -l
Could not open a connection to your authentication agent.
$ ssh-add -l &>/dev/null
$ [[ "$?" == 2 ]] && eval `ssh-agent`
Agent pid 9547
$ ssh-add -l &>/dev/null
$ [[ "$?" == 1 ]] && expect $HOME/.ssh/agent
spawn ssh-add /home/user/.ssh/id_rsa
Enter passphrase for /home/user/.ssh/id_rsa:
Identity added: /home/user/.ssh/id_rsa (/home/user/.ssh/id_rsa)
$ ssh-add -l
4096 SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX /home/user/.ssh/id_rsa (RSA)
So when both ssh-agent and ssh-add -l are put to run on a bash script:
#!/bin/bash
ssh-add -l &>/dev/null
[[ "$?" == 2 ]] && eval `ssh-agent`
ssh-add -l &>/dev/null
[[ "$?" == 1 ]] && expect $HOME/.ssh/agent
then it would always check and assuring that the connection is running:
$ ssh-add -l
4096 SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX /home/user/.ssh/id_rsa (RSA)
You can also emulate the repeating of commands on above script with do while
The accepted answer did not work for me under Ubuntu 14.04.
The test to check if the ssh-agent is running I have to use is:
[[ ! -z ${SSH_AGENT_PID+x} ]]
And I am starting the ssh-agent with:
exec ssh-agent bash
Otherwise the SSH_AGENT_PID is not set.
The following seems to work under both Ubuntu 14.04 and 18.04.
#!/bin/bash
sshkey=id_rsa
# Check ssh-agent
if [[ ! -z ${SSH_AGENT_PID+x} ]]
then
echo "[OK] ssh-agent is already running with pid: "${SSH_AGENT_PID}
else
echo "Starting new ssh-agent..."
`exec ssh-agent bash`
echo "Started agent with pid: "${SSH_AGENT_PID}
fi
# Check ssh-key
if [[ $(ssh-add -L | grep ${sshkey} | wc -l) -gt 0 ]]
then
echo "[OK] SSH key already added to ssh-agent"
else
echo "Need to add SSH key to ssh-agent..."
# This should prompt for your passphrase
ssh-add ~/.ssh/${sshkey}
fi
Thanks to all the answers here. I've used this thread a few times over the years to tweak my approach. Wanted to share my current ssh-agent.sh checker/launcher script that works for me on Linux and OSX.
The following block is my $HOME/.bash.d/ssh-agent.sh
function check_ssh_agent() {
if [ -f $HOME/.ssh-agent ]; then
source $HOME/.ssh-agent > /dev/null
else
# no agent file
return 1
fi
if [[ ${OSTYPE//[0-9.]/} == 'darwin' ]]; then
ps -p $SSH_AGENT_PID > /dev/null
# gotcha: does not verify the PID is actually an ssh-agent
# just that the PID is running
return $?
fi
if [ -d /proc/$SSH_AGENT_PID/ ]; then
# verify PID dir is actually an agent
grep ssh-agent /proc/$SSH_AGENT_PID/cmdline > /dev/null 2> /dev/null;
if [ $? -eq 0 ]; then
# yep - that is an agent
return 0
else
# nope - that is something else reusing the PID
return 1
fi
else
# agent PID dir does not exist - dead agent
return 1
fi
}
function launch_ssh_agent() {
ssh-agent > $HOME/.ssh-agent
source $HOME/.ssh-agent
# load up all the pub keys
for I in $HOME/.ssh/*.pub ; do
echo adding ${I/.pub/}
ssh-add ${I/.pub/}
done
}
check_ssh_agent
if [ $? -eq 1 ];then
launch_ssh_agent
fi
I launch the above from my .bashrc using:
if [ -d $HOME/.bash.d ]; then
for I in $HOME/.bash.d/*.sh; do
source $I
done
fi
Hope this helps others get up and going quickly.
Created a public gist if you want to hack/improve this with me: https://gist.github.com/dayne/a97a258b487ed4d5e9777b61917f0a72
cat /usr/local/bin/ssh-agent-pro << 'EOF'
#!/usr/bin/env bash
SSH_AUTH_CONST_SOCK="/var/run/ssh-agent.sock"
if [[ x$(wc -w <<< $(pidof ssh-agent)) != x1 ]] || [[ ! -e ${SSH_AUTH_CONST_SOCK} ]]; then
kill -9 $(pidof ssh-agent) 2>/dev/null
rm -rf ${SSH_AUTH_CONST_SOCK}
ssh-agent -s -a ${SSH_AUTH_CONST_SOCK} 1>/dev/null
fi
echo "export SSH_AUTH_SOCK=${SSH_AUTH_CONST_SOCK}"
echo "export SSH_AGENT_PID=$(pidof ssh-agent)"
EOF
echo "eval \$(/usr/local/bin/ssh-agent-pro)" >> /etc/profile
. /etc/profile
then you can ssh-add xxxx once, you can use ssh-agent everytime when you login.
I've noticed that having a running agent is not enough because sometimes, the SSH_AUTH_SOCK variable is set or pointing to a socket file that does not exist anymore.
Therefore, to connect to an already running ssh-agent on your machine, you can do this :
$ pgrep -u $USER -n ssh-agent -a
1906647 ssh-agent -s
$ ssh-add -l
Could not open a connection to your authentication agent.
$ test -z "$SSH_AGENT_PID" && export SSH_AGENT_PID=$(pgrep -u $USER -n ssh-agent)
$ test -z "$SSH_AUTH_SOCK" && export SSH_AUTH_SOCK=$(ls /tmp/ssh-*/agent.$(($SSH_AGENT_PID-1)))
$ ssh-add -l
The agent has no identities.
Regarding finding running ssh-agents, previous answers either don't work or rely on a magic file like $HOME/.ssh_agent. These approaches require us to believe that user never run agents without saving their output to this file.
My approach instead relies on a rarely changed default UNIX domain socket template to find an accessible ssh-agent among available possibilities.
# (Paste the below code to your ~/.bash_profile and ~/.bashrc files)
C=$SSH_AUTH_SOCK
R=n/a
unset SSH_AUTH_SOCK
for s in $(ls $C /tmp/ssh-*/agent.* 2>/dev/null | sort -u) ; do
if SSH_AUTH_SOCK=$s ssh-add -l >/dev/null ; then R=$? ; else R=$? ; fi
case "$R" in
0|1) export SSH_AUTH_SOCK=$s ; break ;;
esac
done
if ! test -S "$SSH_AUTH_SOCK" ; then
eval $(ssh-agent -s)
unset SSH_AGENT_PID
R=1
fi
echo "Using $SSH_AUTH_SOCK"
if test "$R" = "1" ; then
ssh-add
fi
In this approach, SSH_AGENT_PID remains unknown, since it is hard to deduce it for non-roots. I assume it is actually not required for users since they don't normally want to stop agents. On my system, setting SSH_AUTH_SOCK is enough to communicate with agent for e.g. passwordless authentication.
The code should work with any shell-compatible shell.
You can modify line #1 to:
PID_SSH_AGENT=`eval ssh-agent -s | grep -Po "(?<=pid\ ).*(?=\;)"`
And then at the end of the script you can do:
kill -9 $PID_SSH_AGENT
I made this bash function to count and return the number of running ssh-agent processes... it searches ssh-agent process using procfs instead of using $ ps -p $SSH_AGENT_PID:cmd or $SSH_AUTH_SOCK:var ... (these ENV-var. can still be set with old values while ssh-agent's process is already killed: if $ ssh-agent -k or $ $(ssh-agent -k) instead of $ eval $(ssh-agent -k))
function count_agent_procfs(){
declare -a agent_list=( )
for folders in $(ls -d /proc/*[[:digit:]] | grep -v /proc/1$);do
fichier="${folders}/stat"
pid=${folders/\/proc\//}
[[ -f ${fichier} ]] && [[ $(cat ${fichier} | cut -d " " -f2) == "(ssh-agent)" ]] && agent_list+=(${pid})
done
return ${#agent_list[#]}
}
..and then if there is a lot of ssh-agent process running you get their PID with this list..."${agent_list[#]}"
Very simple command to check how many processes are running for ssh-agent (or any other program): pidof ssh-agent
or:
pgrep ssh-agent
And very simple command to kill all processes of ssh-agent (or any program):
kill $(pidof ssh-agent)
This script required an ip and the script or file that we have to run on the remote server i gave a file in which i have wrote commands like
touch /root/test
ls /root/test
this make the file but do not show and it is displaying an error
tcgetattr: Inappropriate ioctl for device
connection closed
How can I resolve this is there any suggestion ??
#!/bin/bash
# The private key used to identify this machine
IDENTITY_KEY=/home/admnew.pem
syntax()
{
echo "Syntax: Ec2.sh server_ip scriptFile]"
echo "For example: ./Ec2.sh server_ip scriptFile"
exit 1
}
if [ $# -ne 2 ]
then
echo not enough arguments
syntax
fi
echo "Running script $2 on $1"
ssh -t -t -i $IDENTITY_KEY ec2-user#$1 sudo -i 'bash -s' < $2
exit
exit
echo "Done"
Try:
ssh -t -t -i $IDENTITY_KEY ec2-user#$1 sudo -i 'bash -s' <<EOF
(
$(cat "$2")
)
EOF
e.g. wrap the script into (), e.g the:
touch /root/test
ls /root/test
should be
(
touch /root/test
ls /root/test
)
I have a small list of servers, and I am trying to add a user on each of these servers. I can ssh individually to each server and run the command.
sudo /usr/sbin/useradd -c "Arun" -d /home/amurug -e 2014-12-12 -g users -u 1470 amurug
I wrote a script to loop through the list and run this command but I get some errors.
#!/bin/bash
read -p "Enter server list: " file
if [[ $file == *linux* ]]; then
for i in `cat $file`
do
echo "creating amurug on" $i
ssh $i sudo /usr/sbin/useradd -c "Arun" -d /home/amurug -e 2014-12-12 -g users -u 1470 amurug
echo "==============================================="
sleep 5
done
fi
When I run the script it does not execute the command.
creating amurug on svr102
Usage: useradd [options] LOGIN
Options:
What is wrong with my ssh crommand in my script?
Try this script:
#!/bin/bash
read -p "Enter server list: " file
if [[ "$file" == *linux* ]]; then
while read -r server
do
echo "creating amurug on" "$server"
ssh -t -t "$server" "sudo /usr/sbin/useradd -c Arun -d /home/amurug \
-e 2014-12-12 -g users -u 1470 amurug"
echo "==============================================="
sleep 5
done < "$file"
fi
As per man bash:
-t
Force pseudo-tty allocation. This can be used to execute arbitrary screen-based programs on a remote which can be very useful, e.g. when implementing menu services. Multiple -t options force tty allocation, even if ssh has no local tty.