Bug#756172: ITP: ssh-cron -- cron-like job scheduler than handles ssh key passphrases
ssh-cron acts like cron, but is provided with ssh passphrases allowing its commands to access remote systems without requiring a passphrase to be stored in a clear-text file or resorting to ssh keys without passphrases. How is it provided with them? is the user required to enter them on startup? are they stored somewhere? if the latter how is it more secure than using a key without a passphrase? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#756172: ITP: ssh-cron -- cron-like job scheduler than handles ssh key passphrases
On 07/27/2014 06:45 AM, peter green wrote: ssh-cron acts like cron, but is provided with ssh passphrases allowing its commands to access remote systems without requiring a passphrase to be stored in a clear-text file or resorting to ssh keys without passphrases. How is it provided with them? is the user required to enter them on startup? are they stored somewhere? if the latter how is it more secure than using a key without a passphrase? Hi Peter, The passphrases are managed via ssh-agent, which will employ ssh-askpass to collect the necessary passphrase(s) at startup. You can get an overview of the sequence via the manpage: http://sshcron.sourceforge.net/ssh-cron.1.html Cheers, tony signature.asc Description: OpenPGP digital signature
Bug#756172: ITP: ssh-cron -- cron-like job scheduler than handles ssh key passphrases
/me mutters something about being incompatible with reportbug... The upstream author and URL should have been in the original report (corrected below). On 07/27/2014 01:54 AM, Marc Haber wrote: On Sat, 26 Jul 2014 21:05:37 -0700, tony mancill tmanc...@debian.org wrote: * Package name : ssh-cron Version : 0.91.01 Upstream Author : Frank B. Brokken f.b.brok...@rug.nl * URL: http://sshcron.sourceforge.net/ * License: GPL-2+ Programming Lang: C++ Description : cron-like job scheduler than handles ssh key passphrases ssh-cron acts like cron, but is provided with ssh passphrases allowing its commands to access remote systems without requiring a passphrase to be stored in a clear-text file or resorting to ssh keys without passphrases. Why would one use such a tool? passphraseless keys exist, and can be configured to be secure. Hello Marc, Thank you, Ansgar and Paul for responses regarding other ways to perform these tasks. Specifically: It is possible to restrict keys in .ssh/authorized_keys so that they are only allowed to run specific commands, see the 'command=command' bit in man:sshd(8). One probably wants to combine this with no-port-forwarding and similar options. and in more detail: http://blog.ganneff.de/blog/2007/12/29/ssh-triggers.html The idea for ssh-cron is to be able to use the keys (one might currently already have) without having to generate separate keys for triggers, and while maintaining a passphrase. Whether or not that's advisable given alternatives such as ssh triggers depends on your risk tolerance and the specifics of your environment. It seems like with Ganneff's trigger mechanism, one attack vector is to steal a backup of the passphraseless key and spoof the source IP - now you can run the trigger at will. Having a passphrase on the key could at least slow the attacker down. I could imagine using ssh-cron together with command= for a higher level of security. In any event, thank you for the discussion. I'll confer with the upstream author before proceeding with the package. Regards, tony signature.asc Description: OpenPGP digital signature
Bug#756172: ITP: ssh-cron -- cron-like job scheduler than handles ssh key passphrases
On Sun, Jul 27, 2014 at 08:40:03AM -0700, tony mancill wrote: It seems like with Ganneff's trigger mechanism, one attack vector is to steal a backup of the passphraseless key and spoof the source IP - now you can run the trigger at will. Having a passphrase on the key could at least slow the attacker down. I could imagine using ssh-cron together with command= for a higher level of security. Uhm, spoof the source IP? This is not UDP, you'd also need to get traffic back redirected to you. Kind regards Philipp Kern signature.asc Description: Digital signature
Bug#756172: ITP: ssh-cron -- cron-like job scheduler than handles ssh key passphrases
Package: wnpp Severity: wishlist Owner: tony mancill tmanc...@debian.org * Package name: ssh-cron Version : 0.91.01 Upstream Author : * URL : * License : GPL-2+ Programming Lang: C++ Description : cron-like job scheduler than handles ssh key passphrases ssh-cron acts like cron, but is provided with ssh passphrases allowing its commands to access remote systems without requiring a passphrase to be stored in a clear-text file or resorting to ssh keys without passphrases. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
