{DKIM Fail} Re: sftp fails when run from cron
Darren Tucker
dtucker at dtucker.net
Fri Sep 14 22:07:31 AEST 2018
On 14 September 2018 at 17:01, James Moe <jimoe at sohnen-moe.com> wrote:
> On 09/13/2018 07:54 PM, Darren Tucker wrote:
>
>> I'd guess that the reason it doesn't work is that the key is encrypted
>> and neither the agent nor a tty to ask for the decryption passphrase
>> is available. Try repeating your command line test after unsetting
>> SSH_AUTH_SOCK
>>
> Okay. That reproduced the issue.
> Is there a recommended way to provide the decryption passphrase?
it's possible but tricky by writing a custom SSH_ASKPASS program, but
that doesn't buy you much over having the key unencrypted (ie both the
key and the passphrase needed to decrypt it have to readable by your
user).
Other than that, the options are:
- starting an ssh-agent specifically for you cron job, loading the key
and arranging for you cron job to have SSH_AUTH_SOCK pointing to that
agent's socket. The down side is you'll need human intervention after
a restart.
- use a key without a passphrase and set a key restriction on the
server (from=[ip address], see sshd(8)) to make sure it can only be
used from where it's intended (not perfect, but it's better than
nothing).
- set up HostBasedAuthentication instead (you'll also need to enable
EnableSSHKeysign in ssh_config on the client).
--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list