Re: Can cron jobs share ssh-agent?

From: Pierre Asselin (pa_at_invalid.invalid)
Date: 05/22/03

• Next message: Pierre Asselin: "Re: putty and host-listbox"
• Previous message: Ramon F Herrera: "Secure FTP server?"
• In reply to: Joe Harrison: "Can cron jobs share ssh-agent?"
• Next in thread: Joe Harrison: "Re: Can cron jobs share ssh-agent?"
• Reply: Joe Harrison: "Re: Can cron jobs share ssh-agent?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 21 May 2003 22:10:22 -0400

Joe Harrison <joe.harrison@teamware.antisp4m.co.uk> wrote:

>[ . . . ]
> But this is where everything comes unglued - although the cron task runs as
> same non-root user it appears to be unable to use the key, just gets "Bad
> passphrase. Permission denied." The OpenSSH documentation implies that
> separate tasks for same user *will* be able to share ssh-agent access.

Your cron job needs an environment variable in order to find the
agent. It'll look like this:

    SSH_AUTH_SOCK=/tmp/ssh-XXBGVg2b/agent.919

What you could do is store it in a file owned by user:user with permission
0600 after you start the agent, and read that file at the beginning of
your cron job to set the environment.

Just leaving the agent behind you isn't too good for your security though.
Even without the file an attacker who cracks the account can find the
socket, get the private key from the agent and break into the backup
server.

> [ ... ] BTW yes I know it
> would work if I used a key with no passphrase, unfortunately my boss might
> find out...

Right. Are you bypassing policy by not entering a passphrase to
authenticate yourself when you do your backup? Just asking, I don't
know what your site's policy is.

• Next message: Pierre Asselin: "Re: putty and host-listbox"
• Previous message: Ramon F Herrera: "Secure FTP server?"
• In reply to: Joe Harrison: "Can cron jobs share ssh-agent?"
• Next in thread: Joe Harrison: "Re: Can cron jobs share ssh-agent?"
• Reply: Joe Harrison: "Re: Can cron jobs share ssh-agent?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Passphraseless SSH login and cron ... order to do SSH logins without having to type a passphrase. ... henceforth in this session I can do passphraseless SSH logins. ... so that the script to be run by cron can execute ... agent, ... (comp.security.ssh) Re: Shell script with ssh does not work with crontab :( ... >> make sure your environment and your cron process share the same data. ... >> Now your agent info is shared by your script and by your running shell. ... > ssh-add at the command prompt then I subsequently ran my script. ... (comp.security.ssh) Re: configuring ssh-agent to automate passphrase for the key ... The passphrase is a must for our requirement. ... when captured in a shell $construct and passed to the shell "eval" ... with the background agent. ... only to stop a running agent, via the command ... (comp.security.ssh) Re: ssh without entering password/passphrase ... I created private and public key pairs in my local host ... > this point when I try to ssh, it asks for my passphrase and I can log ... "Could not open connection to your authentication agent". ... What you are missing is that just having ssh-agent run is not enough. ... (comp.os.linux.misc) RE: Going MAD trying to get scp working on Solaris8 - Horah - Its res olved - Or Is it.... ... The ssh-agent will indeed hold keys for use by ssh related programs. ... The key to what you want to accomplish is to make sure a SINGLE agent is ... working without entering a password or passphrase. ... (SSH)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint