setting up automated ssh in cronjob

[starlite79]

I have a colleague who has set up pass phrases/keys using ssh-keygen. He would like to write a script that uses ssh to read a read-only file containing the passphrases so that the script can be automated (as in a cronjob running in the middle of the night, and no one is awake to enter passphrase). Is this possible? He mentioned adding them using ssh -add, but this is not secure.

I'm including a closed thread that looked helpful at first, but I'm not sure if this would help.


thread822-1319888

 

[chipperMDW]

Tell him to just use a key without a passphrase for automated tasks like that. Any form of "get the passphrase from a file" solution is going to boil down to the same problem: the unencrypted passphrase is on the disk. That's about as secure as having the unencrypted key (i.e. one with no passphrase) on the disk. There's no need to go to the trouble of automating passphrase entry just to make an attack take 5 seconds longer.

 

[starlite79]

Ok. I am not sure he'll be happy to hear that, but if there is no secure way to do what he wants, I'll let him know.

 

[chipperMDW]

There's not necessarily "no secure way" to do it.

What kinds of threats does he want to protect against? Do other users have login access to this machine? Physical access?

Disallowing remote access (perhaps except for a single user from a single machine) is a good first step. If he can do that and ensure physical security of the machine (specifically the RAM) and disk, it should be reasonably safe.

If he can't guarantee physical security, storing the key on an encrypted filesystem that requires a BIOS password at boot would be reasonable protection, though someone with physical access could still glean the information through the RAM if they were determined.