身份验证

即使在 ‘普通的’ OpenSSH 客户端中,对远程服务器的身份验证也涉及到多个潜在的机密和配置来源;Fabric 不仅支持其中的大部分功能,还拥有更多自己的功能。本文档概述了设置身份验证密钥的可用方法。

备注

由于 Fabric 本身并没有尝试重新创造太多 Paramiko 功能,所以大部分配置身份验证值的时间都归结为“如何为 SSHClient.connect 设置关键字参数值”,这反过来意味着在 connect_kwargs config 子树,或 connect_kwargs 关键字参数中设置值。

私钥文件

存储在磁盘上的私钥可能是 SSH 最常见的身份验证机制。Fabric 提供了多种方法来配置要使用的路径,其中大多数最终会合并成一个路径列表,然后按以下顺序交给 SSHClient.connect(key_filename=[...])

  • 如果在 Connectionconnect_kwargs 参数中存在 key_filename 键,则它们在列表中首先出现。(这基本上是非 CLI 用户的运行时选项。)

  • 配置设置 connect_kwargs.key_filename 可以通过多种方式设置(根据 config docs),包括通过 --identity CLI 标志(它设置配置的 overrides 级别;因此,当使用此标志时,来自其他配置源的键文件名值将被覆盖。)这个值在整个列表中排名第二。

  • 使用 ssh_config 文件与 IdentityFile 指令让你与其他 SSH 客户端共享配置;这些值排在最后。

加密密码

如果你的私钥文件是通过密码保护的,它可以通过几种方式提供:

  • connect_kwargs.passphrase 配置选项是提供 passphrase 自动使用的最直接的方式。

    备注

    Using actual on-disk config files for this type of material isn’t always wise, but recall that the configuration system is capable of loading data from other sources, such as your shell environment or even arbitrary remote databases.

  • If you prefer to enter the passphrase manually at runtime, you may use the command-line option --prompt-for-passphrase, which will cause Fabric to interactively prompt the user at the start of the process, and store the entered value in connect_kwargs.passphrase (at the ‘overrides’ level.)

Private key objects

Instantiate your own PKey object (see its subclasses’ API docs for details) and place it into connect_kwargs.pkey. That’s it! You’ll be responsible for any handling of passphrases, if the key material you’re loading (these classes can load from file paths or strings) is encrypted.

SSH agents

By default (similar to how OpenSSH behaves) Paramiko will attempt to connect to a running SSH agent (Unix style, e.g. a live SSH_AUTH_SOCK, or Pageant if one is on Windows). This can be disabled by setting connect_kwargs.allow_agent to False.

Passwords

Password authentication is relatively straightforward:

  • You can configure it via connect_kwargs.password directly.

  • If you want to be prompted for it at the start of a session, specify --prompt-for-login-password.

GSSAPI

Fabric doesn’t provide any extra GSSAPI support on top of Paramiko’s existing connect-time parameters (see e.g. gss_kex/gss_auth/gss_host/etc in SSHClient.connect) and the modules implementing the functionality itself (such as paramiko.ssh_gss.) Thus, as usual, you should be looking to modify the connect_kwargs configuration tree.