身份验证¶
即使在 ‘普通的’ OpenSSH 客户端中,对远程服务器的身份验证也涉及到多个潜在的机密和配置来源;Fabric 不仅支持其中的大部分功能,还拥有更多自己的功能。本文档概述了设置身份验证密钥的可用方法。
备注
由于 Fabric 本身并没有尝试重新创造太多 Paramiko 功能,所以大部分配置身份验证值的时间都归结为“如何为 SSHClient.connect
设置关键字参数值”,这反过来意味着在 connect_kwargs
config 子树,或 connect_kwargs
关键字参数中设置值。
私钥文件¶
存储在磁盘上的私钥可能是 SSH 最常见的身份验证机制。Fabric 提供了多种方法来配置要使用的路径,其中大多数最终会合并成一个路径列表,然后按以下顺序交给 SSHClient.connect(key_filename=[...])
:
如果在
Connection
的connect_kwargs
参数中存在key_filename
键,则它们在列表中首先出现。(这基本上是非 CLI 用户的运行时选项。)配置设置
connect_kwargs.key_filename
可以通过多种方式设置(根据 config docs),包括通过--identity
CLI 标志(它设置配置的overrides
级别;因此,当使用此标志时,来自其他配置源的键文件名值将被覆盖。)这个值在整个列表中排名第二。使用 ssh_config 文件与
IdentityFile
指令让你与其他 SSH 客户端共享配置;这些值排在最后。
加密密码¶
如果你的私钥文件是通过密码保护的,它可以通过几种方式提供:
connect_kwargs.passphrase
配置选项是提供 passphrase 自动使用的最直接的方式。备注
Using actual on-disk config files for this type of material isn’t always wise, but recall that the configuration system is capable of loading data from other sources, such as your shell environment or even arbitrary remote databases.
If you prefer to enter the passphrase manually at runtime, you may use the command-line option
--prompt-for-passphrase
, which will cause Fabric to interactively prompt the user at the start of the process, and store the entered value inconnect_kwargs.passphrase
(at the ‘overrides’ level.)
Private key objects¶
Instantiate your own PKey
object (see its subclasses’
API docs for details) and place it into connect_kwargs.pkey
. That’s it!
You’ll be responsible for any handling of passphrases, if the key material
you’re loading (these classes can load from file paths or strings) is
encrypted.
SSH agents¶
By default (similar to how OpenSSH behaves) Paramiko will attempt to connect to
a running SSH agent (Unix style, e.g. a live SSH_AUTH_SOCK
, or Pageant if
one is on Windows). This can be disabled by setting
connect_kwargs.allow_agent
to False
.
Passwords¶
Password authentication is relatively straightforward:
You can configure it via
connect_kwargs.password
directly.If you want to be prompted for it at the start of a session, specify
--prompt-for-login-password
.
GSSAPI¶
Fabric doesn’t provide any extra GSSAPI support on top of Paramiko’s existing
connect-time parameters (see e.g. gss_kex
/gss_auth
/gss_host
/etc in
SSHClient.connect
) and the modules
implementing the functionality itself (such as paramiko.ssh_gss
.) Thus, as
usual, you should be looking to modify the connect_kwargs
configuration
tree.