6.10. Authenticating in cron Jobs

Problem

You want to invoke unattended remote commands, i.e., as cron or batch jobs, and do it securely without any prompting for passwords.

Solution

Use a plaintext key and a forced command.

  1. Create a plaintext key:

    $ cd ~/.ssh
$ ssh-keygen -t dsa -f batchkey -N ""

  2. Install the public key (batchkey.pub) on the server machine. [Recipe 6.4]

  3. Associate a forced command with the public key on the server machine, to limit its capabilities:

                         ~/.ssh/authorized_keys:
command="/usr/local/bin/my_restricted_command" ssh-dss AAAAB3NzaC1kc3MAA ...

    Disable other capabilities for this key as well, such as forwarding and pseudo-ttys, and if feasible, restrict use of the key to a particular source address or set of addresses. (This is a single line in authorized_keys, though it’s split on our page.)

                         ~/.ssh/authorized_keys:
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty, from="myclient.
example.com", command="/usr/local/bin/my_restricted_command" ssh-dss 
AAAAB3NzaC1kc3MAA ...

  4. Use the plaintext key in batch scripts on the client machine:

    $ ssh -i ~/.ssh/batchkey remotehost ...

Alternatively, use hostbased authentication [Recipe 6.8] instead of public-key authentication.

Discussion

A plaintext key is a cryptographic key with no passphrase. Usually it’s not appropriate to omit the passphrase, since a thief who steals the key could immediately use it to impersonate you. But for batch jobs, plaintext keys are a reasonable approach, especially if the key’s scope can ...

Get Linux Security Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial