On Friday 31 March 2006 03:37, Jim Cornette wrote: > William Hooper wrote: > > Les Mikesell wrote: > >> On Thu, 2006-03-30 at 07:58, Anne Wilson wrote: > >>>> If your ssh key has a passphrase, the only reason it works > >>>> manually is that you have entered that passphrase previously and > >>>> ssh-agent remembers it for you within that session. The cron job has > >>>> no connection to that session and the agent wouldn't provide the > >>>> passphrase even if it could. If you want it to run without entering > >>>> the passphrase, make keys with an empty passphrase. > >>> > >>> I see. Questions, then - > >>> > >>> > >>> As this LAN is behind a hardware firewall, it's probably reasonably > >>> safe, but what risk is there? > >> > >> The risk is that anyone who can copy your private key can > >> pretend to be you for any service that depends on the matching public > >> key. It is up to the filesystem permissions > >> to protect it. > > > > You can also set up the authorized_keys file so that the key is only > > valid from certain hosts. See man sshd for the format. > > Didn't someone mention that keys can be made to only allow certain > accessibility to specific functions? Like only allow rsync but nothing > else over the connection? Then even without the passphrase implemented, > only the specific task can be performed, key or not. > > Maybe I read it somewhere else or dreamed it. > After lots of reading I came to the conclusion that the sensible solution is to use keychain with the --clear option, which ensures that the passphrase has to be given on login, rather than the previous session staying live. It appears to be working now, except for the problem of automatically loading it. I'll start a new thread detailing that problem. Thanks to all who tried to help. Anne
Attachment:
pgpusqtBnCUcp.pgp
Description: PGP signature
