Tip: secure SSH tunneling for cron jobs

UNIX: a quick recap of a good tip combo picked up from ILUG recently. To paraphrase Conor Wynne’s original question:

What’s the best way to set up a secure connection between two hosts, possibly over the internet, using SSH, suitable for use from cron so that it can run via crontab without entering authentication manually?

Barry O’Donovan replied:

I suggested ssh keys without passphrases … in
http://www.barryodonovan.com/publications/lg/104/ and it includes instructions. … You can invoke rsync over ssh and specify a specific key with:

rsync -a -e ‘ssh -i /home/username/.ssh/id_rsa-serverbackup’

Colm MacCárthaigh followed up with:

You can restrict what commands an ssh account can run in the ssh public key. This is how some of our more important projects (like Debian, FreshRPMS, and a few more) push us updates. The key looks like (jm: all on one line, no space between ‘no-pty,’ and ‘command’):

no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty, command=”/home/ximian/rsync-ximian-nolog &”
ssh-dss keydata username@blah

So, create a passwordless public key like so, and just change the command to whatver rsync runs.

Combined, that’s a useful tip — I knew about the ssh command restriction technique, but being able to use a specific single-purpose key from the ssh client is very useful.

(updated: mbp mailed to note some missing quotes in Barry’s command above; they’d been eaten by WebMake. drat.)

This entry was posted in Uncategorized and tagged , , , , , , , , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.