ssh/keychain dilemma



I've been using ssh with a cron job to do backups for quite a while now. But I'm realizing that the way I've been doing it (i.e., having the cron job ssh in using a key without a passphrase) is rather insecure. So I've been looking into ways to make the setup more secure by integrating a passphrase into the mix.

This obviously has led me to the keychain utility, which appears to be the generally recommended way to let cron jobs do unattended ssh. The documentation generally recommendeds to start keychain when you log in, which then lets all subsequent processes on the box access the ssh keys.

My problem is, though, I'm trying to enable this on a file server, which I very rarely interactively log into. So consequently, starting keychain on login won't solve the problem here.

I imagine that it could be possible to start keychain on system boot, but I'm not thrilled with that idea either, as it would interrupt the boot sequence with a password prompt and thus prevent completely unattended booting of the file server.

Anyone have a good solution to this dilemma?

TIA,

DR



Relevant Pages

  • Re: Running ssh cmd on cron -- debug2: channel 0: read failed
    ... It works fine if I manually run it on command line but it ... > does not run right if I run it as a cron job. ... You don't happen to have 2 copies of ssh installed in separate paths, ... Good judgement comes with experience. ...
    (SSH)
  • Re: background processes?
    ... SSH protocol. ... > servers," you've got bigger problems than this. ... > someone who can design less fragile processes for your mission-critical ... cron job that moves newly ...
    (comp.security.ssh)
  • Re: sshd - time out idle connections
    ... Run a cron job, and kill any ssh process that's lasted longer than five minutes, ignore what's being ran. ... If everything else uses kerberos, have ssh just use unix and not kerberos. ...
    (freebsd-questions)
  • Re: Deploying mass cron job
    ... > I have a cron job that updates antivirus software on a Mac OS X ... Seems like this would be for root's crontab, ... into one ssh command doing a "cat contents until you see an EOL flag into ... the end of the crontab file". ...
    (comp.unix.admin)
  • ssh-add, ssh-agent, OS X keychain
    ... I have been at this long far too long, hopefully someone more familiar with ssh and how it interacts with OS X and the OS X keychain will be able to point me in the right direction. ... However, no command I seem to issue will reset ssh-agent back to the same state it was in pre boot, or just after a user login. ... Secure password entry form, not the unlock keychain form, asking me if I again want to save a password that already exists in the OS X keychain. ...
    (SSH)