Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

setting up automated ssh in cronjob

Status
Not open for further replies.

starlite79

Technical User
Aug 15, 2008
89
US
I have a colleague who has set up pass phrases/keys using ssh-keygen. He would like to write a script that uses ssh to read a read-only file containing the passphrases so that the script can be automated (as in a cronjob running in the middle of the night, and no one is awake to enter passphrase). Is this possible? He mentioned adding them using ssh -add, but this is not secure.

I'm including a closed thread that looked helpful at first, but I'm not sure if this would help.


thread822-1319888

 
Tell him to just use a key without a passphrase for automated tasks like that. Any form of "get the passphrase from a file" solution is going to boil down to the same problem: the unencrypted passphrase is on the disk. That's about as secure as having the unencrypted key (i.e. one with no passphrase) on the disk. There's no need to go to the trouble of automating passphrase entry just to make an attack take 5 seconds longer.
 
Ok. I am not sure he'll be happy to hear that, but if there is no secure way to do what he wants, I'll let him know.

 
There's not necessarily "no secure way" to do it.

What kinds of threats does he want to protect against? Do other users have login access to this machine? Physical access?

Disallowing remote access (perhaps except for a single user from a single machine) is a good first step. If he can do that and ensure physical security of the machine (specifically the RAM) and disk, it should be reasonably safe.

If he can't guarantee physical security, storing the key on an encrypted filesystem that requires a BIOS password at boot would be reasonable protection, though someone with physical access could still glean the information through the RAM if they were determined.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top