?
Solved

ssh-keygen / passwordless login for sh/php script

Posted on 2006-04-12
9
Medium Priority
?
706 Views
Last Modified: 2008-04-03
I am trying to create a backup script that will send the backup to an external server. I need to be able to do this securely also.

I'm running into a problem with sending the password for scp, and I know there is a way to create a public/private key for the two servers, but from what I've read the keys need to be created without a password. I'm not sure what the security risks are for doing this. Offhand it sounds dangerous.
0
Comment
Question by:Shroder
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 24

Assisted Solution

by:fridom
fridom earned 500 total points
ID: 16436861
Of course it is more unsecure, however you can restrict the login for the key to specific commands
see e.g
http://www.sun.com/bigadmin/features/articles/sec_shell_2.html
or here
http://www.oreilly.com/catalog/sshtdg/chapter/ch08.html

Regards
Friedrich
0
 
LVL 16

Assisted Solution

by:xDamox
xDamox earned 500 total points
ID: 16437296
Hi,

I strongly recommend you read this on how to setup public and private keys

http://tutorials.linux-noob.com/tutorials/pkeyauth.pdf
0
 
LVL 22

Accepted Solution

by:
pjedmond earned 500 total points
ID: 16438413
Better still read this one....:

http://www.cvrti.utah.edu/~dustman/no-more-pw-ssh/

It shows you how to do the backups securely....and with a password to protect the keys (using agents). If you're going to do this, then you might as well do it properly.

HTH:)
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:Shroder
ID: 16438979
Thank you!
I'll take a peek. :)
0
 

Author Comment

by:Shroder
ID: 16440090
I'm not sure what I'm doing wrong. The keys generated fine. Moved them to the remote server. Set the permissions. Primed the agent. Attached the agent. But it still asks me for a password.
0
 
LVL 16

Expert Comment

by:xDamox
ID: 16440471
Who's guide did you follow? also did you edit the sshd_config file
0
 
LVL 4

Assisted Solution

by:Myrandor
Myrandor earned 500 total points
ID: 16440577
Here's a small howto.

From the client, type this command to generate the certificate. Leave all the question by default.
> ssh-keygen -t dsa

Take the file named dsa.pub from the client and put the content in the file /root/.ssh/authorized_keys2 on the server using this synthax:
from="client_ip", ssh-dss ...
Ensure that the file is 600 to make sure that no one can read it. The line "from=..." will allow the connection only from the provided IP.

Now, from the client, do a "ssh root@server_ip" and accept the authentication. It should only ask once.

You can replace the "root" username by any username you want. Just make sure it has a shell access.

If you have a problem connecting, you can try to put the line "PermitRootLogin without-password" in your /etc/ssh/sshd_config. If it still doesn't work, look at the log in /var/log/messages or /var/log/secure and post the content. It could help find the exact reason.
0
 

Author Comment

by:Shroder
ID: 16440754
ok. I can try that shortly.

One thing I noticed is the from contains something like from= root@249-250-233-5.dedicated.isp.net should I change this to from= root@249.250.233.5?
0
 
LVL 4

Expert Comment

by:Myrandor
ID: 16441003
Using the hostname or IP should not make any differences since the server will do a lookup for it.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Suggested Courses
Course of the Month16 days, 1 hour left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question