Re: Passwordless connection to ssh-nonfree 1.2.27
Noah Meyerhans <noahm@debian.org> writes:
> Creating an SSH key with a blank passphrase is *absolutely* the
> wrong way to go about this. Yes, it will work, but if anybody ever
> manages to get their hands on the private key, they've got access to
> your account on the remote machine.
>
> Passphrase protected keys can still be used for passwordless
> authentication. Please read the docs on ssh-agent and ssh-add.
This works for interactive use. But it doesn't fit the needs of cron
jobs. OK, you *can* use ssh-agent withing cron jobs, but you give up
more security than you gain using such a hack.
So if you need an ssh connection within a cron job using a blank
passphrase is absolutely the right way. *But* you should be careful
regarding some points:
1. Whenever possible use a separate sandbox user on the remote site
for these jobs. If someone steals your key he will get full access
to this user and nothing else.
2. If you use this connection from one or a few source hosts only, use
the option "from=" in the authorized_keys file on the remote host.
This will restrict access to this user to connections originating
from the sources defined here.
3. If you run one or a few commands only on the remote host, use the
option "command=" in the authorized_keys file on the remote host.
If this option is given the value will be the only command executed
on login, also if you try to give a command on the ssh command
line. If you need more than one command on the remote host you have
to use multiple keys, one for each command. Or just write a shell
script containing all commands and use that as a command.
A combination of all these methods should give you reasonable
security for giving remote access to cron jobs.
[x] ulf
--
Rome did not create a great empire by having meetings,
they did it by killing all those who opposed them.
Reply to: