Problems with rsync over ssh
Anne Wilson
cannewilson at tiscali.co.uk
Fri Mar 31 16:55:49 UTC 2006
On Friday 31 March 2006 03:37, Jim Cornette wrote:
> William Hooper wrote:
> > Les Mikesell wrote:
> >> On Thu, 2006-03-30 at 07:58, Anne Wilson wrote:
> >>>> If your ssh key has a passphrase, the only reason it works
> >>>> manually is that you have entered that passphrase previously and
> >>>> ssh-agent remembers it for you within that session. The cron job has
> >>>> no connection to that session and the agent wouldn't provide the
> >>>> passphrase even if it could. If you want it to run without entering
> >>>> the passphrase, make keys with an empty passphrase.
> >>>
> >>> I see. Questions, then -
> >>>
> >>>
> >>> As this LAN is behind a hardware firewall, it's probably reasonably
> >>> safe, but what risk is there?
> >>
> >> The risk is that anyone who can copy your private key can
> >> pretend to be you for any service that depends on the matching public
> >> key. It is up to the filesystem permissions
> >> to protect it.
> >
> > You can also set up the authorized_keys file so that the key is only
> > valid from certain hosts. See man sshd for the format.
>
> Didn't someone mention that keys can be made to only allow certain
> accessibility to specific functions? Like only allow rsync but nothing
> else over the connection? Then even without the passphrase implemented,
> only the specific task can be performed, key or not.
>
> Maybe I read it somewhere else or dreamed it.
>
After lots of reading I came to the conclusion that the sensible solution is
to use keychain with the --clear option, which ensures that the passphrase
has to be given on login, rather than the previous session staying live. It
appears to be working now, except for the problem of automatically loading
it. I'll start a new thread detailing that problem.
Thanks to all who tried to help.
Anne
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20060331/3e3762b8/attachment-0001.sig>
More information about the fedora-list
mailing list