Re: Rsync autologin over ssh question

Fri, 09 Apr 2004 12:52:54 -0700 

On Fri, Apr 09, 2004 at 12:21:33PM -0700, Brent Wiese wrote:
> Here is what I need to do:
> 
> I need to somehow automate an rsync from 1 box to several others.
> 
> I have set up SSH for RSAAuthentication, the method I'd prefer to use (over
> RHostsRSA).
> 
> I am able to slogin to the other boxes w/o supplying the passphrase.
> 
> But here is where I'm stuck. How do I make a script run w/o the passphrase?
> 
> The goal is to put this script in the users crontab.
> 
> I've googled for help on this, which is how I got to the point I'm at, but
> now I need some further guidance.
> 
> I am notified by email when the boxes reboot, so logging back into them to
> add the passphrase back into memory isn't a problem. I'd rather not use
> Rhosts if I can avoid it, and I also want to avoid running rsync daemon.
> 
> If anyone has suggestions on a better and/or more secure method to do this,
> happy to hear it.
> 
> Ultimately, I'd also like to be able to trigger this sync from a webpage, so
> if anyone has done that (using sudo I'd imagine), feel free to suggest
> things there too.

This is covered in the SSH FAQ --
http://www.snailbook.com/faq/no-passphrase.auto.html

Since you have ruled out RhostsRSA, you're left with two options:

   i) SSH key with plaintext key file (ie. no passphrase).  If you
      choose this method, be sure to read the section in sshd(8) about
      the options you can use in the ~/.ssh/authorized_keys file, to
      minimize the possible damage that could occur if that key gets
      stolen.

  ii) Public key with SSH agent.  Read about ssh-agent(1) and
      ssh-add(1).  For scripting purposes, you can start up a
      long-running ssh-agent process, saving the output to a file:

        # ssh-agent -s > ssh-agent-env

      Then manually ssh-add the key and passphrase to that agent:

        # sh -c '. ssh-agent-env ; ssh-add my-remote-access-key'

      All your scripts need to do then is source the environment
      settings you saved:

        #!/bin/sh

        . ssh-agent-env

        [... etc ...]

In either of these cases be sure that each machine has the ssh public
key of the other in the appropriate known-hosts files and that you
verify that you can use ssh with your key on the command line to get
into the machine without being challenged for a password.

        Cheers,

        Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

Attachment: pgp00000.pgp
Description: PGP signature

Reply via email to