on Fri, Sep 05, 2003 at 03:44:23PM +0100, Colin Watson (cjwatson@debian.org) wrote:
> On Fri, Sep 05, 2003 at 03:05:22PM +0200, Alex Polite wrote:
> > I have ssh access to a server (A) where public key authentication is not
> > allowed. I want access information on (A) from a cron script on
> > server (B).
> >
> > I figure there must be a way to wrap ssh in script that takes the
> > password in clear text as one argument. It's probably heresy to a lot
> > of people but I'm sure it can be done. And if the file permissions are
> > set right I don't see why it should be any less secure than public
> > keys with empty pass phrases.
> >
> > But how is it done?
>
> Look at 'expect'. This can fake up a terminal that you could use to feed
> a password to ssh.
>
> The reason why schemes like this are less secure than public keys with
> empty passphrases is that you can set up .ssh/authorized_keys so that
> public keys are forced to be able to run only a single command. This
> makes single-purpose keys feasible and reasonably secure as long as the
> script at the other end is prepared for hostile input. In your case,
> though, there's no way to restrict the set of commands that an attacker
> who compromises (B) can execute on (A) beyond how you could restrict any
> local user. You might get away with it if you were sshing to a
> special-purpose user with a restricted shell, maybe; but eww.
>
> If I were you I'd definitely ask the administrator of (A) to enable
> public key authentication.
Seconding all of the above.
I'd also recommend the O'Reilly SSH book, which covers a number of
remote execution scenarios in attended and unattended modes.
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
If spam is the question, Spamassassin is the answer.
http://spamassassin.taint.org/
Attachment:
pgp3ZmVXfymn7.pgp
Description: PGP signature