There is a handicraft script:

declare NAMECRT="dev" declare TYPECRT="client" declare -r SERVER="root@12.34.56.78" declare -r LOCALUSER="lu" declare -r REMOTEUSER="ru" #declare -r NAMESERVER="server_name" # Используется только при TYPECRT="server" su "${LOCALUSER}" -c " cd /home/"${LOCALUSER}"/easy-rsa-master/easyrsa3 [ ! -d /home/"${LOCALUSER}"/easy-rsa-master/easyrsa3/pki ] && ./easyrsa init-pki ./easyrsa gen-req "${NAMECRT}" " scp /home/"${LOCALUSER}"/easy-rsa-master/easyrsa3/pki/reqs/"${NAMECRT}.req" "${SERVER}":/home/"${REMOTEUSER}"/easy-rsa-master/easyrsa3/pki/reqs ssh "${SERVER}" " cd /home/"${REMOTEUSER}"/easy-rsa-master/easyrsa3/pki/reqs [ -f ./"${NAMECRT}.req" ] && chown -c "${REMOTEUSER}":"${REMOTEUSER}" ./"${NAMECRT}.req" su -l ca -c ' cd /home/"${REMOTEUSER}"/easy-rsa-master/easyrsa3 if [[ "${TYPECRT}" = "client" ]]; then ./easyrsa sign-req "${TYPECRT}" "${NAMECRT}" elif [[ "${TYPECRT}" = "server" ]]; then ./easyrsa sign-req "${TYPECRT}" "${NAMESERVER}" else echo "ERROR TYPECRT: ${TYPECRT}" exit 1 fi ' " if [[ "${TYPECRT}" = "client" ]]; then mkdir -p /etc/openvpn/"${TYPECRT}"/"${NAMECRT}" # develop.crt, ca.crt scp "${SERVER}":"/home/"${REMOTEUSER}"/easy-rsa-master/easyrsa3/pki/issued/"${NAMECRT}.crt" \ /home/${REMOTEUSER}/easy-rsa-master/easyrsa3/pki/ca.crt" /etc/openvpn/"${TYPECRT}"/"${NAMECRT}" # develop.key cp /home/${LOCALUSER}/easy-rsa-master/easyrsa3/pki/private/"${NAMECRT}.key" /etc/openvpn/"${TYPECRT}"/"${NAMECRT}" # ta.key if [ ! -f /etc/openvpn/server/ta.key ]; then cd /etc/openvpn/server/ openvpn --genkey --secret ta.key fi cp /etc/openvpn/server/ta.key /etc/openvpn/"${TYPECRT}"/"${NAMECRT}" elif [[ "${TYPECRT}" = "server" ]]; then # vpn_server.crt, crl.pem, ca.crt scp "${SERVER}":"\ /home/"${REMOTEUSER}"/easy-rsa-master/easyrsa3/pki/issued/"${NAMESERVER}".crt \ /home/"${REMOTEUSER}"/easy-rsa-master/easyrsa3/pki/crl.pem \ /home/"${REMOTEUSER}"/easy-rsa-master/easyrsa3/pki/ca.crt" /etc/openvpn/"${TYPECRT}" # server.key cp /home/"${LOCALUSER}"/easy-rsa-master/easyrsa3/pki/private/"${NAMECRT}".key /etc/openvpn/"${TYPECRT}" # dh.pem su "${LOCALUSER}" -c " cd /home/${LOCALUSER}/easy-rsa-master/easyrsa3 ./easyrsa gen-dh " cp /home/"${LOCALUSER}"/easy-rsa-master/easyrsa3/pki/dh.pem /etc/openvpn/"${TYPECRT}" else echo "ERROR" exit 1 fi if [ -d /etc/openvpn/"${TYPECRT}"/"${NAMECRT}" ]; then cd /etc/openvpn/client cp -r ./"${NAMECRT}" /home/${LOCALUSER}/down fi

There is server A with VPN, there is server B with CA. The script is located on server A and is executed on it. The essence of the script is certificate generation. On server A, a request is generated, sent to server B, signed and returned. Everything works, everything is fine.

But there is an inconvenience - the password must be entered many times. Throw a key for ssh, a bad option, because if you screw it up, then one FIG will have to enter the password every time, and without the password, you would not want to do access from one server to another, otherwise the CA and VPN separation is lost.

The question is whether it is possible to do so that during the first connection the session is not lost and in the future it was possible to switch from the remote to the local server, execute commands and end the session after the end of the whole action?

  • encrypted key + ssh-agent is not satisfied? - Fat-Zer
  • @ Fat-Zer correct, if not right. When accessing by key, with a key phrase, it will need to be entered at each connection, if without a key phrase, then any of you can generate a certificate for yourself or go to this remote server. - imsysmem
  • one
    in general, yes, only Vasya will first have to get access to the key itself ... but the ssh-agent is a utility that just allows you to request a password to the key once, and then safely (as far as possible) store it in memory in decrypted form and use when connecting. - Fat-Zer
  • one
    Everything is approximately as you described: a private / public key pair is generated on the local machine, after which a public one is sent to the remote server and added to the key list, after which it is possible to access the remote machine via the key without specifying a password ... But usually the private part the key is additionally encrypted so that if an attacker takes possession of the key, he would not be able to access it, this encryption is provided with a password specified in ssh-keygen ... - Fat-Zer
  • one
    @imsysmem, I don’t really understand how ssh-agent works - for example - aleksandr barakin

1 answer 1

If you reduce the task to “configure key access to the ssh server, keep the key encrypted, but do not enter the password every time”, then the typical solution would be to use ssh-agent 's.

Typical scheme of use:

 eval $(ssh-agent); ssh-add # ввод пароля ключа # вся работа с ssh/scp/sftp итп, повторный ввод пароля не требуется ssh-agent -k # не забыть остановить агента, когда он более не нужен

In addition, if the agent is started from a script and then stopped, it may be useful to set a trap:

 trap "ssh-agent -k" 0

upd I note that when ssh-add started without arguments, files from the $HOME directory of this user are initialized:

~/.ssh/id_rsa , ~/.ssh/id_dsa and ~/.ssh/identity

man ssh-add