On Tue, 2005-03-15 at 10:32 -0500, Cory Papenfuss wrote: > I would like an automated backup > to connect to that agent and use the key that's passphrase-protected.
There are (arguably) better ways to do this and security issues with what you propose. > Hope that makes sense. It's quite possible that what I'm trying > to do is stupid and I'd realize it if I thought all the way through it. > All I know is if I type 'backup_script" logged in normally, I've got my > passphrase-protected key exchange that doesn't require a password. Right, because all processes that descend from your "ssh-agent <command>" inherit the environment variable (SSH_AUTH_SOCK) that describes the socket to access your ssh-agent if they need to. Realize that anything on the system that is running the agent (or any system you allow agent forwarding to) can access your keys if they know this socket and have permission to access it (i.e. root). Because when you run the backup command in your ssh-agent parented shell, it has access to the agent socket it works. Run it from somewhere that is not a descendant of your agent it does not have access to the agent it does not work. > If I > put it in a script, notsomuch. Right. As per the above. IMHO, the right way to do this is to use the "forced command" option in the authorized_keys file. See the manpage for sshd under the "AUTHORIZED_KEYS FILE FORMAT" section and create a key on the backup server that is forced to run only one command and then use the private portion of that key without a passphrase on your client. b.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ mythtv-users mailing list [email protected] http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users
