Re: Problems with scp and cron

From: Nico Kadel-Garcia (nkadel_at_comcast.net)
Date: 10/22/04

  • Next message: chris_at_nospam.com: "Re: SSH X11 Tunnel su - lost cookie to non-root user" 
    Date: Thu, 21 Oct 2004 22:03:41 -0400

    "Darren Dunham" <ddunham@redwood.taos.com> wrote in message
    news:nAQdd.16933$nj.162@newssvr13.news.prodigy.com...
    > Nico Kadel-Garcia <nkadel@comcast.net> wrote:
    > >> yes, I had to do it without a passphrase to get an automated
    > >> every-neight backup of recent files.
    >
    > > No, you don't. You can store the ssh-agent settings in a text file that
    gets
    > > sourced by your program, something like this.
    >
    > > set | grep SSH > ssh-agentfile.txt
    > > source ssh-agentfile.txt
    >
    > Surely that depends on having the settings actually there. I often use
    > passphraseless keys for automated jobs on machines. They must run even
    > if the machine has rebooted and I haven't logged into the box to type a
    > passphrase.

    If that's what you have to do, that's what you have to do. But it's
    recommended against very strongly, because once that unattended box gets
    hacked into, the hacker has access to your passwordless keys.

    > > I urge you to use ssh-agent instead. This approach isn't perfect, but
    at
    > > least you don't have to leave an unencrypted lying out there in plain
    text
    > > where it's even easier to be stolen. It's also a common way to do
    ssh-agent
    > > key management for servers where lots of people need access to core
    system
    > > key files: you log in as yourself to the server account, which is
    tracked in
    > > the logs, and automatically get the SSH keyfiles added at login-time
    this
    > > way without unencrypted key files being left on the server in
    > > question.
    >
    > Interesting. I've never heard of that technique before. To accomplish
    > this, do you have to make changes to the agent socket so that others can
    > read it?

    No, I'm sorry if I was unclear. Typically all users log into the ssh-agent
    key server machine as the same user on that machine, but with different
    authorized_keys entries. That way, they ssh into the ssh-agent key server
    with one key that gets logged, and get handed a new set of keys by
    "source"ing a file with the ssh-agent environment variables.

  • Next message: chris_at_nospam.com: "Re: SSH X11 Tunnel su - lost cookie to non-root user"