PDA

View Full Version : Trying to use keychain to ssh with cron



philip4567
7th October 2007, 11:19 PM
I'm trying to use keychain to so that I can use ssh with cron.

# ssh-agent $SHELL
# ssh-add

works as you can see below:-


[root@pc100 ~]# ssh-agent $SHELL
[root@pc100 ~]# ssh-add
Enter passphrase for /root/.ssh/id_rsa:
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
[root@pc100 ~]# ssh phil4323@enduringresults.com

uk-server5.phil4323:~$

...but relying on keychain fails:-


[root@pc100 ~]# ssh -v phil4323@enduringresults.com
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to enduringresults.com [193.111.226.107] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.8p1
debug1: match: OpenSSH_3.8p1 pat OpenSSH_3.*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'enduringresults.com' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Offering public key: /root/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/root/.ssh/id_rsa':

Any help solving this problem gratefully received.

philip4567
27th October 2007, 11:06 AM
Can anybody give me any clues on this?
...or suggest a good place to ask?

scottro
27th October 2007, 12:39 PM
I've never used ssh-add, so I'm not sure where the error lies.

If I need to ssh into a box without being asked for a password, I do it this way. Say I want to go from host1 to host2 without being asked for a password, and my user name is john, meaning my $HOME directory is /home/john

On host one, I create the key.



ssh-keygen -t dsa


You'll see




Generating public/private dsa key pair.
Enter file in which to save the key (/home/john/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/john/.ssh/id_dsa.
Your public key has been saved in /home/scottro/.ssh/id_dsa.pub.
The key fingerprint is:
72:ab:cd:ef:a1:b2:bb:04:7f:3g:9d:d1:85:67:96:32 john@host1.example.com

(The sequence of numbers will be different, but that will be the pattern.

During this, when asked for a passphrase, just hit enter each time, in other words, leave it blank.

Now, on host2, in john's $HOME directory, make sure there's a $HOME/.ssh directory. Copy the host1/john/.ssh/id_dsa_pub to host2/.ssh, calling it authorized_keys
From host1 in your home directory


scp .ssh/id_dsa_pub host2:.ssh/authorized_keys

This should work.

(Log out and try to ssh from host1 to host2, and see if you can do so without a password.)

If you've done this already, then first remove the dsa keys from $HOME/.ssh and remove authorized keys from host2/$HOME/.ssh and try again. Maybe you did some sort of typo. (I'd also remove the previously generated rsa key, ssh2 seems to prefer dsa.)

philip4567
29th March 2008, 01:43 AM
Yes you can use keygen without a password
...but that will mean that anyone who gets hold of your private key can use it.

That's where keychain comes in: you can have the advantage of password-less remote access that only you can use even if someone gets hold of your private key.

I got it working in the end. The keychain documentation is now very good.
You can find it here: http://www.gentoo.org/proj/en/keychain/