Re: [tlug] cron job to connect to a remote host with ssh key and a passphrase ?

[Sacha Chua <sacha@example.com>]

Evan Monroig <evan.monroig@example.com> writes:

> So what I did was use the ssh agent when my gnome session starts:
> ssh-add /path/to/the/ssh/key
> But when it is the cron job, I get the following error message in my logs:
> Permission denied (publickey,keyboard-interactive).
> Is there any way so that the cron job has access to the ssh key ?

ssh-agent works through environment variables.

To set up:

ssh-agent > /some/file/that/only/you/can/read
source /some/file/that/only/you/can/read
ssh-add /path/to/the/ssh/key

To execute:

Make sure your cron job sources /some/file/that/only/you/can/read
before making the connection.

I guess it's a little bit better than using a no-passphrase key, but
not by much.

- No-passphase key: If people can copy your private no-passphrase key
  off the system (for example, by pretending to be you or stealing
  your USB key with backups of private keys), you're screwed.

- Passphrase+agent: If people can get to your environment and the agent
  socket (for example, by pretending to be you), then they can ssh to
  the server and add their key to the authorized_keys file.

That's why you probably want to also use the command= field in the
server's ~/.ssh/authorized_keys. =)

Also, you'll need to remember to set it up manually every time your
ssh-agent gets restarted, like when your server gets rebooted...

-- 
Sacha Chua <sacha@example.com> - open source, free software geekette
http://sacha.free.net.ph/ - PGP Key ID: 0xE7FDF77C
interests: emacs, gnu/linux, personal information management, public speaking
sachac on irc.freenode.net#emacs . YM: sachachua83