scp without authentication and ssh with authentication?

bkcreddy17 · 10-06-2008, 11:28 PM

Hi,
When we generate a rsa key it is working for both ssh and scp with out authentication. Is it possible to copy a file or directory from a remote server as a user to local machine with out password using scp and at the same time if we are login using ssh it should prompt for password.

jschiwal · 10-06-2008, 11:43 PM

You should use a pass phrase to protect your private key. If you use ssh-agent, you only have to enter the pass-phrase once per shell session.

Code:

eval $(ssh-agent)
ssh-add

This will unlock your private key and you can scp or login without a pass phrase.

I don't know how you have the ssh server configured, but if you have both public key authentication and password authentication, I think it will ask for a password before trying public key authentication. You would allow an attacker to use a brute force attack. Stick with public key authentication.

I would also suggest using "AllowUsers", disable root logins and only allow Protocol 2.

bkcreddy17 · 10-07-2008, 12:45 AM

Thank you. I got it.

bkcreddy17 · 10-07-2008, 04:54 AM

I am able to login and copy for that particular instant. But it is executing when i wrote a script.

Code:

$cat start.sh
eval $(ssh-agent)
ssh-add

Here i entered the password.

This is a cron job for a user jane.

Code:

$sudo crontab -l -u jane
30 23 * * * /bin/sh /home/jane/testcopy.sh

This is in testcopy.sh

Code:

$cat testcopy.sh
scp eric@xx.xx.xx.x1/testfile1 /home/jane/
scp eric@xx.xx.xx.x2/testfile2 /home/jane/

When i checked netstat, connection is establishing. But the files are not getting copied.

chrism01 · 10-07-2008, 07:51 PM

If cron has a problem it usually emails the crontab owner and/or root with a description of the problem.
Use the cli cmds mail or mailx to check.
Also, ad 1,2 or 3 -v options to the scp cmd for debug output.

jschiwal · 10-08-2008, 12:15 AM

ssh-add needs a pass phrase to be entered. Crontab can be used by a normal user if that user is listed in cron.allow. However, I don't know if cron runs the user's table as that user. Even if it does, the user's environment in the session where "crontab" is run is not the environment used by the cron command. So if you must use cron, then you probably want to use a null pass phrase for your key. Even if you could automate the entry of the passphrase, you would need to have it listed in a file somewhere. So if a cracker can compromise your key, he would as likely to get your passphrase at the same time.

You might consider using a seperate key set for using with cron. (the -i option to ssh to load an identity from a nonstandard location) This way you could use one for where you need to use cron but have a better passphrase protected key for when you manually use ssh.

bkcreddy17 · 10-08-2008, 01:22 AM

Code:

Even if you could automate the entry of the passphrase.
(the -i option to ssh to load an identity from a nonstandard location)

How do to automate the enty of pass phrase. Is it this

Code:

$ssh -i .ssh/id_rsa mike@192.168.0.44

or

Code:

$ssh -i rsapass mike@192.168.0.44

where "rsapass" is a file containing the rsa password. I tried in both ways but i am not getting.

jschiwal · 10-08-2008, 01:33 AM

I was suggesting using a passphraseless key pair when using cron, and a stronger pair for using ssh manually. This would allow you to use a protected private key when logging into remote hosts that you don't use use cp with cron.

For cron backup jobs, the host keys are often used instead and the job runs as root.

The -i option is for using a different public/private key pair. It doesn't load the passphrase. You don't want a passphrase written in a file. That defeats its purpose of protecting the private key.