bash 如何在脚本中使用 Google 应用程序专用密码?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10258509/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to use Google application-specific password in script?
提问by l0b0
Since enabling 2-factor authentication (aka. 2-step verification) on Google, my Google export scriptsno longer work. The computer is verified and trusted, but somehow the scripts are not. In effect, every time the cron job is run I receive a new "Google verification code" and the script fails. I assume it should be a simple matter to authenticate such scripts once and for all with wgetor curl, but I couldn't find any documentation for how to do it.
由于在 Google 上启用了两步验证(又名两步验证),我的Google 导出脚本不再有效。计算机经过验证和信任,但不知何故脚本没有。实际上,每次运行 cron 作业时,我都会收到一个新的“Google 验证码”并且脚本失败。我认为使用wgetor一劳永逸地验证此类脚本应该是一件简单的事情curl,但我找不到任何有关如何执行此操作的文档。
Google authentication schemes have gone through many iterations, and I can no longer seem to log in using curlor mechanicalsoup. I've tried using URLs like https://accounts.google.com/ServiceLogin?continue=https://calendar.google.com/calendar/exporticalzip&[email protected]&Passwd=application-specific-password, and I always get redirected to a login page, usually with the message "Please use your account password instead of an application-specific password."
Google 身份验证方案经过多次迭代,我似乎无法再使用curl或登录mechanicalsoup。我尝试过使用类似 的 URL https://accounts.google.com/ServiceLogin?continue=https://calendar.google.com/calendar/exporticalzip&[email protected]&Passwd=application-specific-password,但我总是被重定向到登录页面,通常带有“请使用您的帐户密码而不是应用程序特定密码”的消息。
采纳答案by Mikko Rantalainen
Are you absolutely sure that you want to use 2-factor auth with the shell scripts? If so, you don't need to try to get your computer or script as "trusted". You just do the full 2-factor auth every time you run the script.
您确定要对 shell 脚本使用 2-factor auth 吗?如果是这样,您无需尝试将您的计算机或脚本设为“受信任”。每次运行脚本时,您只需执行完整的 2 因素身份验证。
If the target is to skip the manual second factor auth, I'd suggest using application-specific password instead (as already suggested by other answers). Just pretend that you're not using 2-factor auth at alland use your real login name but set password to one generated at https://accounts.google.com/b/0/IssuedAuthSubTokens?hl=en(subpage of https://www.google.com/settings/security).
如果目标是跳过手动第二因素身份验证,我建议改用特定于应用程序的密码(正如其他答案所建议的那样)。只是假装你不使用双因素身份验证,在所有和使用真实的登录名,但设定密码,以一个在产生https://accounts.google.com/b/0/IssuedAuthSubTokens?hl=en(子页面的HTTPS ://www.google.com/settings/security)。
The intent is to set Application-specific password "Name" to a value that is meaningful to you. For example, I have passwords labeled "Pidgin at work", "My Android Phone", "Thunderbird Google Address Book Extension at Work" etc. You could have one for "Calendar and Reader Export Script". If you ever believe that this Application-specific password is compromised ("leaked"), just hit the "Revoke" link on the same page and then generate a new password for your script.
目的是将特定于应用程序的密码“名称”设置为对您有意义的值。例如,我的密码标记为“工作中的 Pidgin”、“我的 Android 手机”、“工作中的 Thunderbird Google 地址簿扩展”等。您可以为“日历和阅读器导出脚本”设置一个。如果您认为此特定于应用程序的密码已泄露(“泄露”),只需点击同一页面上的“撤销”链接,然后为您的脚本生成一个新密码。
For the code, just use the last version that worked with Google single factor auth. Update:because the original question used URL https://accounts.google.com/ServiceLoginfor initiating the session login it's practically faking browser login. However, Google does not officially support this and as I'm writing this, it seems that using application specific password for normal login will end up with error message "Please use your account password instead of an application-specific password".
对于代码,只需使用与 Google 单因素身份验证配合使用的最新版本。更新:因为原始问题使用 URLhttps://accounts.google.com/ServiceLogin来启动会话登录,所以它实际上是伪造浏览器登录。但是,Google 并未正式支持这一点,在我撰写本文时,似乎使用特定于应用程序的密码进行正常登录最终会出现错误消息“请使用您的帐户密码而不是特定于应用程序的密码”。
One thing to understand about the Google 2-factor auth and "trusted computer" is that the actual implementation just adds a permanent cookie with 30 days expiry time to your browser. Trusted computer does not mean your IP address were trusted or some other magical connection were created. Unless your scripts capture the "trusted computer" cookie from your browser of choice, it does not matter at all if you've ever marked your computer as trusted. (The Google form should not say "Remember this computer for 30 days" but "Trust this browser and user account combination for 30 days (save permanent cookie)". However, I guess that was considered too technical...)
关于 Google 2-factor auth 和“受信任的计算机”需要了解的一件事是,实际实现只是向您的浏览器添加了一个具有 30 天到期时间的永久 cookie。受信任的计算机并不意味着您的 IP 地址受信任或创建了其他一些神奇的连接。除非您的脚本从您选择的浏览器中捕获了“受信任的计算机”cookie,否则您是否曾将计算机标记为受信任都无关紧要。(Google 表单不应该说“记住这台计算机 30 天”而是“信任此浏览器和用户帐户组合 30 天(保存永久 cookie)”。但是,我想这被认为太技术性了......)
Update:(copied from my comment below) The only officially supported method (Server to Server applications) is documented at https://developers.google.com/accounts/docs/OAuth2ServiceAccount. It requires OAuth/JWT encoding the request and using Service Account private key created at https://code.google.com/apis/console. As an alternative you could use ClientLogin authentication (already deprecated, best effort service until 2015).
更新:(从我下面的评论中复制)唯一官方支持的方法(服务器到服务器应用程序)记录在https://developers.google.com/accounts/docs/OAuth2ServiceAccount。它需要对请求进行 OAuth/JWT 编码并使用在https://code.google.com/apis/console 上创建的服务帐户私钥。作为替代方案,您可以使用 ClientLogin 身份验证(在 2015 年之前已弃用,尽力而为的服务)。
If you decide to go with OAuth, you might want to look at http://blog.yjl.im/2010/05/bash-oauth.htmland https://github.com/oxys-net/curl-oauth
如果您决定使用 OAuth,您可能需要查看http://blog.yjl.im/2010/05/bash-oauth.html和https://github.com/oxys-net/curl-oauth
回答by Bruce
My python scripts stopped sending e-mails, so I generated the application specific password, changed my script utility gmail account (e.g., [email protected]) to that password and then successfully used that password (e.g. 'applicationpassw') through the following python script fragment (sorry, no complete example).
我的 python 脚本停止发送电子邮件,所以我生成了应用程序特定密码,将我的脚本实用程序 gmail 帐户(例如 [email protected])更改为该密码,然后通过以下方式成功使用该密码(例如“applicationpassw”) python 脚本片段(抱歉,没有完整的示例)。
email = SMTPHandler(mailhost=('smtp.gmail.com',587),
fromaddr='[email protected]',
toaddrs=['[email protected]'],
subject= webSite + ' not working',
credentials=('[email protected]','applicationpassw'),
secure=())
logger.addHandler(email)
So it appears, at least with python 3.6.5 on Windows 10, that all one needs to do is change to using the sixteen char application specific password on the account and in the application.
因此,至少对于 Windows 10 上的 python 3.6.5,所有需要做的就是更改为在帐户和应用程序中使用十六个字符的应用程序特定密码。
回答by Tgr
回答by scrineym
Making application specific passwords works for my scripts, all you do is create the password and then in your script where you have your google accounts password enter in the application specific password instead.
使应用程序特定密码适用于我的脚本,您所做的就是创建密码,然后在您的脚本中输入您的谷歌帐户密码,而不是输入应用程序特定密码。
See here for more on application specific passwords:
有关应用程序特定密码的更多信息,请参见此处:
Application Specific Passwords
Hope this helps !!
希望这可以帮助 !!
