Noah Meyerhans <[EMAIL PROTECTED]> writes: > Creating an SSH key with a blank passphrase is *absolutely* the > wrong way to go about this. Yes, it will work, but if anybody ever > manages to get their hands on the private key, they've got access to > your account on the remote machine. > > Passphrase protected keys can still be used for passwordless > authentication. Please read the docs on ssh-agent and ssh-add.
This works for interactive use. But it doesn't fit the needs of cron jobs. OK, you *can* use ssh-agent withing cron jobs, but you give up more security than you gain using such a hack. So if you need an ssh connection within a cron job using a blank passphrase is absolutely the right way. *But* you should be careful regarding some points: 1. Whenever possible use a separate sandbox user on the remote site for these jobs. If someone steals your key he will get full access to this user and nothing else. 2. If you use this connection from one or a few source hosts only, use the option "from=" in the authorized_keys file on the remote host. This will restrict access to this user to connections originating from the sources defined here. 3. If you run one or a few commands only on the remote host, use the option "command=" in the authorized_keys file on the remote host. If this option is given the value will be the only command executed on login, also if you try to give a command on the ssh command line. If you need more than one command on the remote host you have to use multiple keys, one for each command. Or just write a shell script containing all commands and use that as a command. A combination of all these methods should give you reasonable security for giving remote access to cron jobs. [x] ulf -- Rome did not create a great empire by having meetings, they did it by killing all those who opposed them.
