On 09/13/2018 07:54 PM, Darren Tucker wrote:> I'd guess that the reason it doesn't work is that the key is encrypted > and neither the agent nor a tty to ask for the decryption passphrase > is available. Try repeating your command line test after unsetting > SSH_AUTH_SOCK >Okay. That reproduced the issue. Is there a recommended way to provide the decryption passphrase? $ export SSH_AUTH_SOCK="" $ bin/sftp-sma-download command: /usr/bin/sftp -P 1022 -p -o GSSAPIAuthentication=no -i /home/xxx/.ssh/jumpline -b /home/xxx/bin/sftp-sma-download-batch yyy at sohnen-moe.com yyy at sohnen-moe.com: Permission denied (publickey). Connection closed SFTP did not go well [255] $ export SSH_AUTH_SOCK="/run/user/1000/keyring/ssh" $ bin/sftp-sma-download command: /usr/bin/sftp -P 1022 -p -o GSSAPIAuthentication=no -i /home/xxx/.ssh/jumpline -b /home/xxx/bin/sftp-sma-download-batch yyy at sohnen-moe.com sftp> # sftp> cd /home/YYY/sma/db etc... -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180914/8ba9f030/attachment.asc>
On 14 September 2018 at 17:01, James Moe <jimoe at sohnen-moe.com> wrote:> On 09/13/2018 07:54 PM, Darren Tucker wrote: > >> I'd guess that the reason it doesn't work is that the key is encrypted >> and neither the agent nor a tty to ask for the decryption passphrase >> is available. Try repeating your command line test after unsetting >> SSH_AUTH_SOCK >> > Okay. That reproduced the issue. > Is there a recommended way to provide the decryption passphrase?it's possible but tricky by writing a custom SSH_ASKPASS program, but that doesn't buy you much over having the key unencrypted (ie both the key and the passphrase needed to decrypt it have to readable by your user). Other than that, the options are: - starting an ssh-agent specifically for you cron job, loading the key and arranging for you cron job to have SSH_AUTH_SOCK pointing to that agent's socket. The down side is you'll need human intervention after a restart. - use a key without a passphrase and set a key restriction on the server (from=[ip address], see sshd(8)) to make sure it can only be used from where it's intended (not perfect, but it's better than nothing). - set up HostBasedAuthentication instead (you'll also need to enable EnableSSHKeysign in ssh_config on the client). -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On 9/14/18 5:07 AM, Darren Tucker wrote:>> Is there a recommended way to provide the decryption passphrase? > > it's possible but tricky by writing a custom SSH_ASKPASS program, but > that doesn't buy you much over having the key unencrypted (ie both the > key and the passphrase needed to decrypt it have to readable by your > user). >I decided it is no burden to manually run the script. -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180918/816d145b/attachment.asc>