| gabriel rosenkoetter on Wed, 05 Feb 2003 09:10:35 -0500 |
|
On Tue, Feb 04, 2003 at 08:50:00PM -0500, Tobias DiPasquale wrote: > What you need is ssh-agent(1). This can store the password for you so > the Perl script won't need to respond to the prompt (because it won't be > prompted, as the agent will reply behind the scenes with the correct > password). Check it out. It's may be seen as nitpicking, but it's kind of an important distinction that that is NOT what an SSH agent does. The point is precisely not to authenticate to the remote host using a shared secret (a password). Rather, SSH agents use a public/private key pair, which you can use just fine without the agent, of course (see ssh-keygen(1)). The agent merely requests your passphrase to unencipher your private key so that it does not need to later ask for that passphrase again when authenticating to the remote host. For the purposes of authenticating an automated process, you want to use an account on the remote host with access limited to precisely what it needs to do and a null-passphrased key (just hit enter when asked for a passphrase by ssh-keygen(1)). You can limit what command(s) a given key can perform in ~/.ssh/authorized_keys on the remote host, and doing so would be a good idea (setting up a pseudo-user account for the purpose AS WELL would be an even better one). On Tue, Feb 04, 2003 at 08:53:30PM -0500, Eugene Smiley wrote: > epike wrote: > > the idea is to store your private key > ^^^^^^^ > Okay. > > > on your local server, and store > > the private key on the remote server---no > ^^^^^^^ > Maybe I am confused. Shouldn't this be public key or does ssh use symmetric > encryption? No, I have to assume epike mis-typed. The private key should never leave your possession, virtually or physical. Leaving it on the hard drive of a system shared with others isn't even the best of ideas. (My keys that let me into places as a regular user I keep on workstations, my keys that let me into places as root are on a floppy that travels with me.) The part of the key on the server is, just as you would expect, a public key. You can't, in any proper sense, use symmetric encryption for authentication. Even when you authenticate with a shared secret, the connection across which you do so is enciphered by way of the ssh server's host public/private key. On Tue, Feb 04, 2003 at 10:27:19PM -0500, Chris Hedemark wrote: > Don't bother using passwords at all. Use keys. OpenSSH has all the > tools to do it, and there is a perl module to work with scp directly > (Net::SCP) at http://search.cpan.org/author/IVAN/Net-SCP-0.06/SCP.pm Net::SSH and Net::SFTP also exist. The Net::SFTP interface looks to be a pretty clean port from Net::FTP, if you're thinking about transitioning existing scripts, though I haven't played with it enough to see the kinks. -- gabriel rosenkoetter gr@eclipsed.net Attachment:
pgpnzXXv30ALG.pgp
|
|