Re: scp and scripts?
On Wed, Jul 06, 2005 at 05:31:37PM -0400, Stephen R Laniel wrote:
> On Wed, Jul 06, 2005 at 03:44:13PM -0400, linux starved wrote:
> > information. The following is basically what I want the script to do,
> > but I heard scp will not work with authentication. I also read about
> > rsync and tried to get the following one liner to work on the source
> > server
>
> To get scp working without prompting you for a password, do
> as follows:
>
> (Supposing that you're scp'ing files from machine A to
> machine B, and that your username is the same on both A and
> B.)
>
> 1) run 'ssh-keygen -t dsa' on machine A. This will generate
> an SSH key of the appropriate type. It will ask you if you
> want a passphrase; press enter to use a blank passphrase.
It's also possible (and more secure) to use a non-blank ssh passphrase in
automated jobs. The ssh-agent program makes this possible by maintaining
the descrypted key in memory, accessed through a named pipe or socket
which is identified in some environment variables. You need to enter
the passphrase (using ssh-add) one time after the machine (B?) boots up,
but thereafter automated connections can work.
The keychain package automates some of this, managing the ssh-agent.
>From keychain(1):
When keychain is run, it checks for a running ssh-agent,
otherwise it starts one. It saves the ssh-agent environment
variables to ~/.key- chain/${HOSTNAME}-sh, so that subsequent
logins and non-interactive shells such as cron jobs can source
the file and make passwordless ssh connections. In addition,
when keychain runs, it verifies that the key files specified on
the command-line are known to ssh-agent, otherwise it loads them,
prompting you for a password if necessary.
When ssh (used by scp) runs, it looks for these environment variables,
SSH_AUTH_SOCK and SSH_AGENT_PID, and uses them to authorize the connection.
One way to make these variables known to a script is to source them in a
wrapper script, which can then be run in a cron job. The rsnapshot package
uses rsync and ssh, and I use the following wrapper:
ken@sangay:~ $ cat /usr/local/bin/rsnapshot
#!/bin/sh
source /home/ken/.keychain/sangay-sh
# for some reason I installed rsnapshot from tarball, not .deb ...
/usr/local/bin/rsnapshot.original $*
It took me a while to figure this out, and just figued I ought to pass
it along in the context of this thread.
Ken
> Accept any other defaults presented to you.
>
> 2) You will now have a directory ~/.ssh . In there will be
> two files (at least): id_dsa and id_dsa.pub. The latter is a
> public key, the former a private key.
>
> 3) Copy id_dsa.pub to machine B. To do so, type
>
> scp ~/.ssh/id_dsa.pub [machine B's name]:
>
> Note the trailing ':'.
>
> 4) Connect to machine B:
>
> ssh [machine B's name]
>
> 5) Put the contents of the public key (id_dsa.pub) in
> ~/.ssh/authorized_keys on machine B:
>
> cat ~/id_dsa.pub >> ~/.ssh/authorized_keys
>
> Note that ~/.ssh may not exist yet on machine B. If it
> doesn't, you'll get an error from that last command, and
> you'll need to create a new directory --
>
> mkdir ~/.ssh
>
> -- first.
>
> --
> Stephen R. Laniel
> steve@laniels.org
> +(617) 308-5571
> http://laniels.org/
> PGP key: http://laniels.org/slaniel.key
--
Ken Irving, Research Analyst, fnkci@uaf.edu, 907-474-6152
Water and Environmental Research Center
Institute of Northern Engineering
University of Alaska, Fairbanks
Reply to: