Date: Fri, 9 Apr 2004 20:51:01 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Brent Wiese <brently@bjwcs.com> Cc: freebsd-questions@freebsd.org Subject: Re: Rsync autologin over ssh question Message-ID: <20040409195101.GA3858@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <20040409192147.FKIQ16183.fed1rmmtao07.cox.net@SAMBA> References: <20040405200457.GC10534@happy-idiot-talk.infracaninophile.co.uk> <20040409192147.FKIQ16183.fed1rmmtao07.cox.net@SAMBA>
next in thread | previous in thread | raw e-mail | index | archive | help
--CE+1k2dSO48ffgeK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 09, 2004 at 12:21:33PM -0700, Brent Wiese wrote: > Here is what I need to do: >=20 > I need to somehow automate an rsync from 1 box to several others. >=20 > I have set up SSH for RSAAuthentication, the method I'd prefer to use (ov= er > RHostsRSA). >=20 > I am able to slogin to the other boxes w/o supplying the passphrase. >=20 > But here is where I'm stuck. How do I make a script run w/o the passphras= e? >=20 > The goal is to put this script in the users crontab. >=20 > I've googled for help on this, which is how I got to the point I'm at, but > now I need some further guidance. >=20 > I am notified by email when the boxes reboot, so logging back into them to > add the passphrase back into memory isn't a problem. I'd rather not use > Rhosts if I can avoid it, and I also want to avoid running rsync daemon. >=20 > If anyone has suggestions on a better and/or more secure method to do thi= s, > happy to hear it. >=20 > Ultimately, I'd also like to be able to trigger this sync from a webpage,= so > if anyone has done that (using sudo I'd imagine), feel free to suggest > things there too. This is covered in the SSH FAQ -- http://www.snailbook.com/faq/no-passphrase.auto.html Since you have ruled out RhostsRSA, you're left with two options: i) SSH key with plaintext key file (ie. no passphrase). If you choose this method, be sure to read the section in sshd(8) about the options you can use in the ~/.ssh/authorized_keys file, to minimize the possible damage that could occur if that key gets stolen. ii) Public key with SSH agent. Read about ssh-agent(1) and ssh-add(1). For scripting purposes, you can start up a long-running ssh-agent process, saving the output to a file: # ssh-agent -s > ssh-agent-env Then manually ssh-add the key and passphrase to that agent: # sh -c '. ssh-agent-env ; ssh-add my-remote-access-key' All your scripts need to do then is source the environment settings you saved: #!/bin/sh . ssh-agent-env [... etc ...] In either of these cases be sure that each machine has the ssh public key of the other in the appropriate known-hosts files and that you verify that you can use ssh with your key on the command line to get into the machine without being challenged for a password. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --CE+1k2dSO48ffgeK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAdv6ldtESqEQa7a0RAof+AJ9bypZtyXn18ryiIphu6b/ywZQy+QCgm2sl 7jwd71Tf6bjGsahkOwBeGy8= =n71E -----END PGP SIGNATURE----- --CE+1k2dSO48ffgeK--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040409195101.GA3858>