3

Situation: Running Ubuntu 10.04. I have a bash script that tar's a bunch of folders and copies them to another host over ssh. I've copied the public key to the other host so it doesn't prompt for a password. I run eval ssh-agent (with extra quotes) and ssh-add to cache to passphrase and after that I can run the script without it prompting for anytime. So far so good.

Problem: I want to run this script through a cronjob, under my own user for now (this is just a test-setup). But when I restart the machine, ssh-agent loses the keys I added via ssh-add and I have to do eval ssh-agent & ssh-add again to get it working.

Question: - How do I make ssh-agent run at all times? (since there won't be a user logged in when the cronjob runs) - How do I permanently save my rsa_id to ssh-add?

Jan Henckens
  • 512
  • 2
  • 9
  • 20

1 Answers1

4

You would need to leave the pass-phrase on the ssh key blank when you create it. That way you won't need to use ssh-agent. Clearly there are security implications of that choice - but ssh-agent will always require you to enter the pass-phrase first time if the key is protected.

Technically, you could probably use expect to pass a pass-phrase to ssh-agent from a script - but if you're prepared to put your pass-phrase into a script you may as well just leave it blank.

The usual way to improve security if you follow this route is to only allow the key in question access to a specifically crafted / restricted account on the other server.

EightBitTony
  • 9,311
  • 1
  • 34
  • 46
  • Yes, I came to the same conclusion: leave the passphrase blank and limit the usage of the key so that it can only execute the backup-script. – Jan Henckens Jun 20 '11 at 07:29
  • It is possible to use `keychain` to access ssh-agent from cron. For details see following article - http://www.cyberciti.biz/faq/ssh-passwordless-login-with-keychain-for-scripts/. – AlexD Jun 20 '11 at 16:20