DEV Community

loading...

Encrypted TMUX scripts for easy SSH keysends

Daniel Mayovsky
A dude. Preaching Mithril.js to be the best MVC framework.
・2 min read

Context

My friend has been working on an experiment of clustering four Raspberry Pi's for a home file server. To connect to all of them at the same time in one tmux session window he wrote a script that would split the window into four panels and then send-keys all the ssh commands with external IP address and port number (since there is four of them, four ports are needed) and the corresponding password to each machine.

Problem

Because a tmux script is just an .sh file, it has passwords and ips and ports stored in it in plain text, I decided to somehow create a little hack to make the tmux script unreadable, and only after a password is typed to "unlock" it, you can run it, but still can't read it. So I came to a solution.

Solution

gpg encryption and piping the decrypted output to sh

tmux_script(){
    gpg -d --quiet "./scripts/encryptedscript.sh.gpg" | sh
}

Explanation

gpg is encryption and signing tool. You can encrypt your files with a passphrase, sign files, check signatures etc.
To encrypt a file in gpg you just run

gpg -c encryptedscript.sh

It will create a file called encryptedscript.sh.gpg. Which is an encrypted file of encryptedscript.sh. At this point, you can delete encryptedscript.sh.

Usually a decryption of a file happens like this:

gpg -d encyptedscript.sh.gpg decryptedscript.sh

It will create a decryptedscript.sh file that is decryption of our protected file. But you don't have to create a file. If you just run a gpg -d filename.gpg without the output filename it will just return a string into the terminal as echo. And that is what we need. Just pipe that output into shell and it will run the script.

Downside

Editing your script like this is a pain.

Hope this thing helps someone :)

Discussion (4)

Collapse
hoelzro profile image
Rob Hoelz

Neat hack! Out of curiosity, what made you decide to do this rather than use SSH keys and ssh-agent, and what inspired your friend to send the output via tmux send-keys rather than providing the command(s) to run on the ssh command line itself?

Collapse
weirdmayo profile image
Daniel Mayovsky Author

Honestly, most of the setup is heavily under thought from his side. He first SSH's into his own local machine and from there into his Raspberry Pi's, so the whole external IPs and ports is nonsense, since they suppose to run on a cluster for an external world.

Second, I, myself am unaware of the ssh-agent. Will be from now :). In the long run it doesn't matter if he sends keys or provides an ssh command, he still has to type out a password in the script to avoid typing four different passwords for his cluster internally. This hack still makes sense since you still are running a Tmux script for ease of workflow, but have to avoid any display of information about the RPs inside of the script, hence this whole encryption hack.

Thanks for the info though :)

Collapse
hoelzro profile image
Rob Hoelz

I'm happy to have helped you learn about ssh-agent - it's such a useful tool!

Collapse
pklapperich profile image
pklapperich

I use cluster-ssh for stuff like this.

Forem Open with the Forem app