From owner-freebsd-security Wed Jun 12 0:25:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by hub.freebsd.org (Postfix) with SMTP id 9C5E537B408 for ; Wed, 12 Jun 2002 00:25:20 -0700 (PDT) Received: (qmail 59315 invoked by uid 85); 12 Jun 2002 07:35:42 -0000 Received: from unknown (HELO straylight.ringlet.net) (212.116.140.125) by south.nanolink.com with SMTP; 12 Jun 2002 07:35:39 -0000 Received: (qmail 83092 invoked by uid 1000); 12 Jun 2002 07:24:06 -0000 Date: Wed, 12 Jun 2002 10:24:06 +0300 From: Peter Pentchev To: twig les Cc: Jack Xiao , freebsd-security@freebsd.org, Lowell Gilbert , "Mark S." , Derek Ragona Subject: Re: ssh questions Message-ID: <20020612102406.C73294@straylight.oblivion.bg> Mail-Followup-To: twig les , Jack Xiao , freebsd-security@freebsd.org, Lowell Gilbert , "Mark S." , Derek Ragona References: <20020612000355.11939.qmail@web10107.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="zhXaljGHf11kAtnf" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020612000355.11939.qmail@web10107.mail.yahoo.com>; from twigles@yahoo.com on Tue, Jun 11, 2002 at 05:03:55PM -0700 X-Virus-Scanned: by Nik's Monitoring Daemon (AMaViS perl-11d ) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --zhXaljGHf11kAtnf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jun 11, 2002 at 05:03:55PM -0700, twig les wrote: > Keith >=20 >=20 >=20 > --- Jack Xiao wrote: > > Hi, > >=20 > > I got ssh work without typing the username and > > password. But need further > > step, use sftp without typing username and passowrd. > > I have thought if ssh > > works fine, there's no problem with sftp. But I was > > still asked for the > > password when using sftp. Any ideas will be > > appreciated. > >=20 > > In addition, is it less secure for the ssh if there > > is no passphrase? >=20 > Look into a language called "Expect". And don't be > intimidated by the fact that it's a new language to > learn. Most likely you can run a script in cron that > will basically say: >=20 > spawn ssh > send [ssh command] > expect [normal response] > send [sftp command] >=20 > Obviously it's a little more complex than that, but > the beauty of Expect is that it's only a *little* more > complex than that. >=20 > It's not the most secure thing to do though. But you > can mitigate that risk through permissions and maybe > not giving the user a shell (not sure if that breaks > sftp...). >=20 > The book for this is called "Exploring Expect" but you > could get away with a quick online tutorial like the > one here: >=20 > http://www.raycosoft.com/rayco/support/expect_tutor.html >=20 > Hope that helps. BTW, have you actually tried this with SSH and/or sftp? I have no doubt that it will work as far as the sending of commands, but there might be a little problem concerning the authentication itself: SSH is really, really picky about having the password or passphrase read from a terminal, not from just any input stream. Thus, when Expect opens SSH, attaching pipes to its standard input and output, SSH will refuse to read a passphrase from its stdin and try to read it from the controlling terminal instead. Since a cron-run process will have no controlling terminal, SSH will exit with a message along the lines of 'you have no controlling terminal, unable to read passphrase'. Thus, even with Expect, one will need to setup some form of empty-passphrase authentication for unattended SSH/scp/sftp connections. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If you think this sentence is confusing, then change one pig. --zhXaljGHf11kAtnf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9BvcW7Ri2jRYZRVMRAtD9AJ4vB/juN3t1FL8S9wDAfAqCmHZwXgCgpLCE qvl8MwX/7YGzLu2aVywLEfE= =DXkF -----END PGP SIGNATURE----- --zhXaljGHf11kAtnf-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message