Welcome to schneider’s documentation¶
schneider is a small package for using multiple SSH keys and SSH agents with frameworks like fabric.
Note
schneider is in active development. There will be bugs and breaking changes.
Why schneider?¶
Services like GitHub and GitLab require a public SSH key if you want to pull or push code (usually the command line via SSH). Server administrators often use one key for one server, resulting in a whole bunch of keys cramped into an SSH agent. Tools like keychain provide a convenient way to load and hold your keys in an SSH agent so that a simple ssh myserver authenticates without password interaction.
But what happens if you want to use SSH from Python, e.g. via paramiko? If there are only a few keys (three to maybe five) managed by your SSH agent, then there should be no problem; authentication should work flawlessly. If you have many keys loaded into the SSH agent, the authentication will probably fail. A quick look into the SSH server’s log file gives a hint: too many authentication failures. The default SSH server configuration allows three authentication failures and then the server closes the connection. What happened? paramiko uses your SSH agent, so far so good. But the agent will present all keys it holds, one after another, for authentication! So it may happen that the key we needed for this particular server will never be reached.
One solution is to raise the number of allowed authentications on the server side, but this will increase the risk of brute force attacks. Another possibility is to restrict the number of keys a single agent manages. This idea was first developed (to my knowledge) by ssh-ident, a tool that tries to minimize the time keys were stored in memory and isolate keys for different use cases (work, home etc.). ssh-ident wraps the normal ssh command and can create different agents and different sets of keys. The command then runs in a prepared environment that provides the specific SSH_AUTH_SOCK and SSH_AGENT_PID variables according to the use case. schneider provides a similar solution for Python programs.
Solution¶
schneider takes this idea of isolating keys and agents and provides two small
classes, schneider.agent.SSHAgent
and schneider.manager.Manager
.
The first one handles the creation of an ssh-agent process and adding keys to
it, the later can “activate” an instance of SSHAgent to provide the required
environment variables for paramiko (or fabric) to connect to a specific server.
What’s that odd name?¶
schneider is the german word for tailor or dressmaker. schneider was developed because I wanted to use the fabric framework to ease my daily work as a sysadmin. And fabric is used by tailors to make nice clothes, so…
Table of Contents¶
Indices and Tables¶
Icon made from Icon Fonts is licensed by CC BY 3.0.