On Aug 30, 2005, at 8:06 PM, Ben Johnson wrote:
On Tue, Aug 30, 2005 at 05:55:50PM -0700, Brian Chrisman wrote:
Ben Johnson wrote:
Hey.
I had a question during the ssh talk given a while ago. (2-3
months?)
Something like... "what's the alternative to a password-less ssh
key
for automating multi-host maintenance?" It never quite got
answered.
The issue is coming up for me again today. :) What do I do?
Do you mean 'passphrase-less'?
You can use the ssh agent stuff to hold yer decrypted ssh keys in
memory, and provide them as necessary for authentication... that
way you
only have to put in yer pass phrase once per session (which, I think,
can be defined multiple ways).
word... phrase... one has spaces in it... ;)
I'm familiar with ssh-agent. somewhat anyway. I typically login at a
virtual terminal, run 'exec ssh-agent bash' then 'exec startx'. this
little bit of experience leads me to believe I have a couple problems:
- using ssh-agent doesn't free me from having to enter a passphrase,
which is problematic as I can't be sure that I'll available when the
system reboots.
- I'm wanting to run these scripts that do that connecting from cron
jobs. I thought ssh-agent can only be used by children of ssh-
agent.
isn't that right? would I have to run crond as a child of ssh-
agent?
- is it possible to start an ssh-agent process on a server then let it
run unattended and without leaving it attached to some tty?
Take a look at http://www.gentoo.org/proj/en/keychain/index.xml
I'm using that at work to allow cron jobs to use rsa keys to allow
rsync to run for me. The way I have it set up is:
1) Boot the machine, login as root
2) You will be prompted for the RSA Passphrase to your key(s)
3) Keychain will store the decrypted key on your behalf
4) Cron jobs, scripts, and normal ssh sessions no longer need a
passphrase until you reboot
5) You can kill the keychain at any time
OSX has a similar product called SshKeyChain http://www.sshkeychain.org/
There are security concerns with using either of these tools, but
they far outstrip using a passphrase-less key.
Mark
_______________________________________________
RLUG mailing list
RLUG@rlug.org
http://lists.rlug.org/mailman/listinfo/rlug
