on Fri, Sep 05, 2003 at 03:44:23PM +0100, Colin Watson ([EMAIL PROTECTED]) wrote: > On Fri, Sep 05, 2003 at 03:05:22PM +0200, Alex Polite wrote: > > I have ssh access to a server (A) where public key authentication is not > > allowed. I want access information on (A) from a cron script on > > server (B). > > > > I figure there must be a way to wrap ssh in script that takes the > > password in clear text as one argument. It's probably heresy to a lot > > of people but I'm sure it can be done. And if the file permissions are > > set right I don't see why it should be any less secure than public > > keys with empty pass phrases. > > > > But how is it done? > > Look at 'expect'. This can fake up a terminal that you could use to feed > a password to ssh. > > The reason why schemes like this are less secure than public keys with > empty passphrases is that you can set up .ssh/authorized_keys so that > public keys are forced to be able to run only a single command. This > makes single-purpose keys feasible and reasonably secure as long as the > script at the other end is prepared for hostile input. In your case, > though, there's no way to restrict the set of commands that an attacker > who compromises (B) can execute on (A) beyond how you could restrict any > local user. You might get away with it if you were sshing to a > special-purpose user with a restricted shell, maybe; but eww. > > If I were you I'd definitely ask the administrator of (A) to enable > public key authentication.
Seconding all of the above. I'd also recommend the O'Reilly SSH book, which covers a number of remote execution scenarios in attended and unattended modes. Peace. -- Karsten M. Self <[EMAIL PROTECTED]> http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? If spam is the question, Spamassassin is the answer. http://spamassassin.taint.org/
pgp00000.pgp
Description: PGP signature
