On Fri, Sep 05, 2003 at 03:05:22PM +0200, Alex Polite wrote: > I have ssh access to a server (A) where public key authentication is not > allowed. I want access information on (A) from a cron script on > server (B). > > I figure there must be a way to wrap ssh in script that takes the > password in clear text as one argument. It's probably heresy to a lot > of people but I'm sure it can be done. And if the file permissions are > set right I don't see why it should be any less secure than public > keys with empty pass phrases. > > But how is it done?
Look at 'expect'. This can fake up a terminal that you could use to feed a password to ssh. The reason why schemes like this are less secure than public keys with empty passphrases is that you can set up .ssh/authorized_keys so that public keys are forced to be able to run only a single command. This makes single-purpose keys feasible and reasonably secure as long as the script at the other end is prepared for hostile input. In your case, though, there's no way to restrict the set of commands that an attacker who compromises (B) can execute on (A) beyond how you could restrict any local user. You might get away with it if you were sshing to a special-purpose user with a restricted shell, maybe; but eww. If I were you I'd definitely ask the administrator of (A) to enable public key authentication. Cheers, -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
