Frank,
Are you asking about password or passphrase. If password then yes, you want
to avoid this. If passphrase, I think its better to have a key-gen without a
passphrase (for automated scripts) otherwise if you will need to 'pass'
the passphrase to the ssh-agent to established a connection. There are ways to
limit security risks with non-passphrase ssh keys:
1. Only allow passphrase authentication to the receiving server. This means
you have a public/private key pair (public on the receiving end).
2. With a combination of tcpwappers and iptables.
3. Re-create the key-pair every other month.
As I understand it, a hacker would need to get the private key from the source
host inorder to connect if item 1 is true. If you pass the passphrase to the
ssh-agent during the script, then a plaintext passphrase must exist in a file on
the system so if a hacker does compromise the server, they have access to the
remote host either way.
I have several scripts running on remote server doing this very thing with
passphrase-less keys. The server they connect to only allows passphrase
authentiction so inorder to connect, you must have a public key on the server.
Its works very well for me, never any security breaches....
Vernon Fort
-----Original Message-----
From: Frank Perugini [mailto:frankp@web-worx.com]
Sent: Tuesday, February 12, 2002 6:42 PM
To: rsync@lists.samba.org
Subject: rsync over ssh and passwords
Hello everyone,
I am trying to write a wrapper around rsync to do some automated file
sync-ing between two servers. I am using ssh as the tranport. How can I
avoid the password prompt for ssh?
I think I can configure ssh to not require passwords, but this would expose
the obvious security risk.What are other users doing to get by this? Is
there some tricks I can do in scripting that would allow me to keep the
password in place and pass it to ssh to force it to continue?
I want to keep this transfer as secure as possible.
I'm sure this is a common thing to do. I just can't figure it out.
Thanks,
-Frank