begin quoting [EMAIL PROTECTED] as of Fri, May 30, 2008 at 04:51:35PM -0700: > On Fri, May 30, 2008 at 02:02:33PM -0700, markw wrote: > > Don't do it. ssh-agent has nothing to do with cron jobs. If it's > > "passphraseless" then if the box with the private key is hacked, who > > ever gets the private key has full privileges where ever that key is. > > So, create a user for the job, if it has to be root, limit it via the > > authorized_keys file, you can limit the commands run, etc. I use > > passphraseless keys for rsnapshot. > > Yea I guess passphraseless RSA keys don't need ssh-agent. That's right. > Ooops. But passphraseless RSA keys are a nice way to have cron jobs > be able to move date to/from other machine. It would be a good idea to look > into locking down what is possible with these keys on remote machine.
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="command" key Where "command" is the command you'll allow to be run, and "key" is the key of the connecting user. -- If you can get at ~/.ssh, you can install a rootkit, and I'm toast either way. Stewart Stremler -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
