June 2003
Intermediate to advanced
336 pages
8h 54m
English
Content preview from Linux Security CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
6.10. Authenticating in cron Jobs
Problem
You want to invoke unattended remote commands, i.e., as cron or batch jobs, and do it securely without any prompting for passwords.
Solution
Use a plaintext key and a forced command.
Create a plaintext key:
$ cd ~/.ssh $ ssh-keygen -t dsa -f batchkey -N ""
Install the public key (batchkey.pub) on the server machine. [Recipe 6.4]
Associate a forced command with the public key on the server machine, to limit its capabilities:
~/.ssh/authorized_keys: command="/usr/local/bin/my_restricted_command" ssh-dss AAAAB3NzaC1kc3MAA ...Disable other capabilities for this key as well, such as forwarding and pseudo-ttys, and if feasible, restrict use of the key to a particular source address or set of addresses. (This is a single line in authorized_keys, though it’s split on our page.)
~/.ssh/authorized_keys: no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty, from="myclient. example.com", command="/usr/local/bin/my_restricted_command" ssh-dss AAAAB3NzaC1kc3MAA ...Use the plaintext key in batch scripts on the client machine:
$ ssh -i ~/.ssh/batchkey remotehost ...
Alternatively, use hostbased authentication [Recipe 6.8] instead of public-key authentication.
Discussion
A plaintext key is a cryptographic key with no passphrase. Usually it’s not appropriate to omit the passphrase, since a thief who steals the key could immediately use it to impersonate you. But for batch jobs, plaintext keys are a reasonable approach, especially if the key’s scope can ...