Date: Wed, 12 Jun 2002 10:24:06 +0300 From: Peter Pentchev <roam@ringlet.net> To: twig les <twigles@yahoo.com> Cc: Jack Xiao <jack_xiao99@hotmail.com>, freebsd-security@freebsd.org, Lowell Gilbert <lowell@world.std.com>, "Mark S." <mark@furball.net>, Derek Ragona <derek@computinginnovations.com> Subject: Re: ssh questions Message-ID: <20020612102406.C73294@straylight.oblivion.bg> In-Reply-To: <20020612000355.11939.qmail@web10107.mail.yahoo.com>; from twigles@yahoo.com on Tue, Jun 11, 2002 at 05:03:55PM -0700 References: <OE39kl4AU1O6YalkXh3000015ab@hotmail.com> <20020612000355.11939.qmail@web10107.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--zhXaljGHf11kAtnf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jun 11, 2002 at 05:03:55PM -0700, twig les wrote: > Keith >=20 >=20 >=20 > --- Jack Xiao <jack_xiao99@hotmail.com> wrote: > > Hi, > >=20 > > I got ssh work without typing the username and > > password. But need further > > step, use sftp without typing username and passowrd. > > I have thought if ssh > > works fine, there's no problem with sftp. But I was > > still asked for the > > password when using sftp. Any ideas will be > > appreciated. > >=20 > > In addition, is it less secure for the ssh if there > > is no passphrase? >=20 > Look into a language called "Expect". And don't be > intimidated by the fact that it's a new language to > learn. Most likely you can run a script in cron that > will basically say: >=20 > spawn ssh > send [ssh command] > expect [normal response] > send [sftp command] >=20 > Obviously it's a little more complex than that, but > the beauty of Expect is that it's only a *little* more > complex than that. >=20 > It's not the most secure thing to do though. But you > can mitigate that risk through permissions and maybe > not giving the user a shell (not sure if that breaks > sftp...). >=20 > The book for this is called "Exploring Expect" but you > could get away with a quick online tutorial like the > one here: >=20 > http://www.raycosoft.com/rayco/support/expect_tutor.html >=20 > Hope that helps. BTW, have you actually tried this with SSH and/or sftp? I have no doubt that it will work as far as the sending of commands, but there might be a little problem concerning the authentication itself: SSH is really, really picky about having the password or passphrase read from a terminal, not from just any input stream. Thus, when Expect opens SSH, attaching pipes to its standard input and output, SSH will refuse to read a passphrase from its stdin and try to read it from the controlling terminal instead. Since a cron-run process will have no controlling terminal, SSH will exit with a message along the lines of 'you have no controlling terminal, unable to read passphrase'. Thus, even with Expect, one will need to setup some form of empty-passphrase authentication for unattended SSH/scp/sftp connections. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If you think this sentence is confusing, then change one pig. --zhXaljGHf11kAtnf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9BvcW7Ri2jRYZRVMRAtD9AJ4vB/juN3t1FL8S9wDAfAqCmHZwXgCgpLCE qvl8MwX/7YGzLu2aVywLEfE= =DXkF -----END PGP SIGNATURE----- --zhXaljGHf11kAtnf-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020612102406.C73294>