ssh/keychain dilemma

---

• From: David Rosenstrauch <darose@xxxxxxxxxx>
• Date: Wed, 21 May 2008 12:17:36 -0400

---

I've been using ssh with a cron job to do backups for quite a while now. But I'm realizing that the way I've been doing it (i.e., having the cron job ssh in using a key without a passphrase) is rather insecure. So I've been looking into ways to make the setup more secure by integrating a passphrase into the mix.

This obviously has led me to the keychain utility, which appears to be the generally recommended way to let cron jobs do unattended ssh. The documentation generally recommendeds to start keychain when you log in, which then lets all subsequent processes on the box access the ssh keys.

My problem is, though, I'm trying to enable this on a file server, which I very rarely interactively log into. So consequently, starting keychain on login won't solve the problem here.

I imagine that it could be possible to start keychain on system boot, but I'm not thrilled with that idea either, as it would interrupt the boot sequence with a password prompt and thus prevent completely unattended booting of the file server.

Anyone have a good solution to this dilemma?

TIA,

DR

---

• Follow-Ups:
  • Re: ssh/keychain dilemma
    • From: Bill Moseley
  • Re: ssh/keychain dilemma
    • From: Alexander Klimov

• Prev by Date: Re: Windows Ownership
• Next by Date: Re: ssh issue after security upgrade
• Previous by thread: why run sftp-server from shell?
• Next by thread: Re: ssh/keychain dilemma
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Running ssh cmd on cron -- debug2: channel 0: read failed ... It works fine if I manually run it on command line but it ... > does not run right if I run it as a cron job. ... You don't happen to have 2 copies of ssh installed in separate paths, ... Good judgement comes with experience. ... (SSH) Re: background processes? ... SSH protocol. ... > servers," you've got bigger problems than this. ... > someone who can design less fragile processes for your mission-critical ... cron job that moves newly ... (comp.security.ssh) Re: Deploying mass cron job ... > I have a cron job that updates antivirus software on a Mac OS X ... Seems like this would be for root's crontab, ... into one ssh command doing a "cat contents until you see an EOL flag into ... the end of the crontab file". ... (comp.unix.admin) Re: Bizarre passwordless scp problem, help ... If your key is protected by a passphrase (you probably didn't, ... a cron job), you'll have to pass it to scp somehow. ... where ssh is being looked for it. ... Are the permissions on the authorized_keys file correct? ... (comp.security.ssh) Keychain works on tty, but not in Gnome ... I use Keychain to cache my GPG key in order to ssh to various machines ... and requests the passphrase for the key I want to ... (Fedora)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > Secure_Shell  > 2008-05