[KLUG Members] Passphrase-Less SSH Keys

[Dirk H Bartley]

On Wed, 2006-02-08 at 13:40 -0500, bill wrote:
> On Wed, 2006-02-08 at 13:12, Dirk H Bartley wrote:
> > On Wed, 2006-02-08 at 12:47 -0500, bill wrote:
> > > I'm looking to create a cron job using ssh.  Being a scheduled job,
> > > running unattended, the job can't easily put in passwords.
> > 
> > Hey, I do that.
> > > 
> > > I see you can create an SSH key that doesn't have a password.
> > 
> > It would be referred to as having an empty passphrase.
> > > 
> > > The remote box already has a normal account with an SSH key that
> > > requires a password.
> > 
> > Generate the key pair on the box running the cron job.  Place the public
> > key on the (server) host the ssh command (client) will ssh to (the
> > server).
> 
> Already doing that.  Have a key w/passphrase.  Client can log in to
> server using key and get prompted for passphrase.  That's all fine.
> 
> > > Should I create another account and put the passphrase-less key in
> > > there?
> > 
> > It should work as long as the above client server relationship is held.
> > > 
> > > Or can I create another key with the same account, and put it also in
> > > the normal account on the remote box?
> > That would work as well.  Here is my recommendation.
> > 
> > ssh-agent > ~/.ssh/agent-info
> > chmod 600 ~/.ssh/agent-info
> 
> Which account is doing this? 

The account the crontab is for.  So if sally is logged in and creating a
crontab with "crontab -e", it would be sally
>  
> 
> > source ~/.ssh/agent-info
> > 
> > ssh-add
> > 
> > now there is a persistent agent running.
> 
> Will the agent always be running, if, for example, the box is restarted?

The agent can be started in /etc/rc.d/rc.local on a redhat machine, so
if root is running the cron jobs:
ssh-agent > /root/.ssh/agent-info
chmod 600 /root/.ssh/agent-info
is placed in there.  If sally is running the cron jobs it would be
something like
su -l sally -c "ssh-agent > /home/sally/.ssh/agent-info"
> 
> If not, must it be restarted by hand?

If started in rc.local, no.  The agent must however have the passphrase
added to it by hand.  Sally can log in, source the agent-info file and
ssh-add.  The agent can also be sourced in ~/.bash_profile!!

> 
> If so, what command(s) above must be re-run to get the agent running
> again?
> 
> Is there an automated way to have this agent always restart?  Is that a
> wise thing to attempt?
> 
> > In your script that is run in cron
> > 
> > source ~/.ssh/agent-info
> 
> Where is this line placed in relation to the ssh command?
> 
> > It is probably better to use the full path and not the ~/
> > 
> > This is better then having a passphraseless key.
> 
> You mean this is for keys with a password?
> 
> I guess I'm not clearly understanding keys and accounts.  If I have
> account "Alice" on the client, and account "Bob" on the server, can I
> put Alice's public key in Bob's .ssh directory and have Alice log in as
> Bob?

Yup, concur with Bruce.
> 
> kind regards,
> 
> bill
> _______________________________________________
> Members mailing list
> Members at kalamazoolinux.org
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.kalamazoolinux.org/pipermail/members/attachments/20060208/8a873ade/attachment.bin