On Fri, Apr 09, 2004 at 12:21:33PM -0700, Brent Wiese wrote: > Here is what I need to do: > > I need to somehow automate an rsync from 1 box to several others. > > I have set up SSH for RSAAuthentication, the method I'd prefer to use (over > RHostsRSA). > > I am able to slogin to the other boxes w/o supplying the passphrase. > > But here is where I'm stuck. How do I make a script run w/o the passphrase? > > The goal is to put this script in the users crontab. > > I've googled for help on this, which is how I got to the point I'm at, but > now I need some further guidance. > > I am notified by email when the boxes reboot, so logging back into them to > add the passphrase back into memory isn't a problem. I'd rather not use > Rhosts if I can avoid it, and I also want to avoid running rsync daemon. > > If anyone has suggestions on a better and/or more secure method to do this, > happy to hear it. > > Ultimately, I'd also like to be able to trigger this sync from a webpage, so > if anyone has done that (using sudo I'd imagine), feel free to suggest > things there too.
This is covered in the SSH FAQ -- http://www.snailbook.com/faq/no-passphrase.auto.html Since you have ruled out RhostsRSA, you're left with two options: i) SSH key with plaintext key file (ie. no passphrase). If you choose this method, be sure to read the section in sshd(8) about the options you can use in the ~/.ssh/authorized_keys file, to minimize the possible damage that could occur if that key gets stolen. ii) Public key with SSH agent. Read about ssh-agent(1) and ssh-add(1). For scripting purposes, you can start up a long-running ssh-agent process, saving the output to a file: # ssh-agent -s > ssh-agent-env Then manually ssh-add the key and passphrase to that agent: # sh -c '. ssh-agent-env ; ssh-add my-remote-access-key' All your scripts need to do then is source the environment settings you saved: #!/bin/sh . ssh-agent-env [... etc ...] In either of these cases be sure that each machine has the ssh public key of the other in the appropriate known-hosts files and that you verify that you can use ssh with your key on the command line to get into the machine without being challenged for a password. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK
pgp00000.pgp
Description: PGP signature