sftp authentication failure only as cronjob

Nico Kadel-Garcia nkadel at gmail.com
Mon Nov 19 06:42:13 EST 2012


On Sun, Nov 18, 2012 at 12:05 PM, Lars Schade <lars.schade at berlin.de> wrote:
> Hi all,
>
> my problem with the sftp connection run as cron job is finally solved.
> As in most cases the problem sits in front of the computer.
>
> My script ran fine from the command line in my gnome session because the
> ssh-agent provided the password for the private key in the background.
> When run by the cron daemon the ssh-agent is not started and the prompt
> for the password is for some reason not explicitly visible even in the
> verbose log. So I simply removed the password from the key and now the
> script runs fine even as cron job.

And you now have a non-passphrase protected key that can be stolen and
used. The level of security of this approach is like putting a key to
your front door in your mailbox. If you really trust your environment,
it might be tolerable, but if it's in your $HOME/.ssh/id_dsa,, and
it's usable for shell logins. The risks are enhanced by the common use
of unsecured, NFS mounted home directories and poor security of backup
tapes.

> PS: On the other machine things worked fine right away because there the
> keys were not password protected to begin with.

**Ouch*. Look, this is a longstanding security issue with most SSH
clients. You can reduce the risk somewhat by using a non-standard key
location, by making sure it's only on a local disk and not backup
tapes or NFS storage, or by using wrappers like the "keychain" perl
script that stores the SSH_AUTH_SOCK settings in a text file that can
be sourced by other scripts. You can also use the "force-command" in
the published authorized_keys file settings to restrict the permitted
operations.

> Sorry to have bothered you, this was just a bit tricky to diagnose.

And I'm afraid that you've used a common approach that is the first
thing you'll find with a Google search, but has some really
fundamental risks. The fastest approach is probably to use the
"keychain" Perl script to make the keys accessible if and only if
needed.


More information about the openssh-unix-dev mailing list