![](https://seccdn.libravatar.org/avatar/d8f80b5863f8017700865ee38b69d4c0.jpg?s=120&d=mm&r=g)
I want to have a script shift some files from one part of a webserver to
another, and it therefore needs to use ssh. I usually login using:
ssh -l <username>
![](https://seccdn.libravatar.org/avatar/926aae47e9d1677af3799a66f39f330d.jpg?s=120&d=mm&r=g)
* Kevin Donnelly;
webserver. I was under the impression that this would allow login without asking for the password (from the manpage: "After this, the user can log in without giving the password."). But in fact I am still asked for the passphrase. Is this because the user I am locally is different from the user I am on the webserver? Have I missed something out?
have a look for ssh-agent and ssh-add in the respective man pages. It is better then (also secure) null passphrases -- Togan Muftuoglu
![](https://seccdn.libravatar.org/avatar/362bf3f8deb8b80599333609a2e814ac.jpg?s=120&d=mm&r=g)
Kevin Donnelly wrote:
I want to have a script shift some files from one part of a webserver to another, and it therefore needs to use ssh. I usually login using: ssh -l <username>
and then give the password. I assume it's not possible to do this in the script, so I tried using ssh-keygen to generate a public/private keypair. I then uploaded $HOME/.ssh/identity.pub to $HOME/.ssh/authorized_keys on the webserver. I was under the impression that this would allow login without asking for the password (from the manpage: "After this, the user can log in without giving the password."). But in fact I am still asked for the passphrase. Is this because the user I am locally is different from the user I am on the webserver? Have I missed something out? TIA
Kevin
I just attempted what I think you tried manually and it worked fine for me. Are you also unable to do this manually? I assume needless to say, you saved the new keypair as ~/.ssh/identity on the account you're testing from? (ssh -i ~/.ssh/<insecure-private-key-file> also works). Are you ever able to log in without typing the account's password to the target host? (i.e., has ssh-agent ever enabled you to log in there without retyping the password each time you log in?) Make sure that the permissions on the target's authorized_keys and identity file are 600 or 400,and that the permissions on the target's .ssh are 700. Those should take care of the most paranoid /etc/ssh/sshd_config. If you can read /etc/ssh/sshd_config on the target machine, it may be helpful. --Steve Augart
![](https://seccdn.libravatar.org/avatar/d8f80b5863f8017700865ee38b69d4c0.jpg?s=120&d=mm&r=g)
On Monday 11 March 2002 10:04 pm, Steven Augart wrote:
Kevin Donnelly wrote:
I want to have a script shift some files from one part of a webserver to another, and it therefore needs to use ssh. I usually login using: ssh -l <username>
and then give the password. I assume it's not possible to do this in the script, so I tried using ssh-keygen to generate a public/private keypair. I then uploaded $HOME/.ssh/identity.pub to $HOME/.ssh/authorized_keys on the webserver. I was under the impression that this would allow login without asking for the password (from the manpage: "After this, the user can log in without giving the password."). But in fact I am still asked for the passphrase. Is this because the user I am locally is different from the user I am on the webserver? Have I missed something out? TIA
Kevin
I just attempted what I think you tried manually and it worked fine for me. Are you also unable to do this manually?
No, I did this as above, manually, and got asked for the password.
I assume needless to say, you saved the new keypair as ~/.ssh/identity on the account you're testing from? (ssh -i ~/.ssh/<insecure-private-key-file> also works).
Yes.
Are you ever able to log in without typing the account's password to the target host? (i.e., has ssh-agent ever enabled you to log in there without retyping the password each time you log in?)
Yes, I am always asked, but this may be because ssh-agent is not available or not running or not set up on the webserver. I didn't know about ssh-agent before, so Togan and you have given me more to think about! I am reading the man pages at the moment, in between deep gulps of breath!
Make sure that the permissions on the target's authorized_keys and identity file are 600 or 400,and that the permissions on the target's .ssh are 700. Those should take care of the most paranoid /etc/ssh/sshd_config.
This is very useful - thanks. I will try this, and some ssh-agent experiments.
If you can read /etc/ssh/sshd_config on the target machine, it may be helpful.
The site is on a virtual host, and this file isn't available. In the meantime, I've got the problem that the ssh login keeps kindly presenting me with a shell prompt, so of course the rest of the script doesn't execute. What's the best way of getting the script to ignore it and go on to run a shell command directly? I've tried sending the login to /dev/null, using && for the next command, putting login and command in brackets, separated by semi-colon, and a few other things in David Tansley's Linux and Unix Shell Programming book, but no luck. Thanks Kevin
![](https://seccdn.libravatar.org/avatar/926aae47e9d1677af3799a66f39f330d.jpg?s=120&d=mm&r=g)
* Kevin Donnelly;
On Monday 11 March 2002 10:04 pm, Steven Augart wrote: Yes, I am always asked, but this may be because ssh-agent is not available or not running or not set up on the webserver. I didn't know about ssh-agent before, so Togan and you have given me more to think about! I am reading the man pages at the moment, in between deep gulps of breath!
if you are using X windows (ie KDE) put this in your ~/.xsession eval `ssh-agent` ssh-add The next time you start your X session ssh-agent and ssh-add will load your key to RAM and you are all set to go -- Togan Muftuoglu
![](https://seccdn.libravatar.org/avatar/08aa7f05bc98bc830d987fdc81681b38.jpg?s=120&d=mm&r=g)
On Monday 11 March 2002 10:04 pm, Steven Augart wrote:
Kevin Donnelly wrote:
I want to have a script shift some files from one part of a webserver to another, and it therefore needs to use ssh. I usually login using: ssh -l <username>
and then give the password. I assume it's not possible to do this in
script, so I tried using ssh-keygen to generate a public/private keypair. I then uploaded $HOME/.ssh/identity.pub to $HOME/.ssh/authorized_keys on the webserver. I was under the impression that this would allow login without asking for the password (from the manpage: "After this, the user can log in without giving the password."). But in fact I am still asked for the passphrase. Is this because the user I am locally is different from the user I am on the webserver? Have I missed something out?
TIA
Kevin
I just attempted what I think you tried manually and it worked fine for me. Are you also unable to do this manually?
No, I did this as above, manually, and got asked for the password.
I assume needless to say, you saved the new keypair as ~/.ssh/identity on the account you're testing from? (ssh -i ~/.ssh/<insecure-private-key-file> also works).
Yes.
Are you ever able to log in without typing the account's password to the target host? (i.e., has ssh-agent ever enabled you to log in there without retyping the password each time you log in?)
Yes, I am always asked, but this may be because ssh-agent is not available or not running or not set up on the webserver. I didn't know about ssh-agent before, so Togan and you have given me more to think about! I am reading
You might take a look at:
http://www-106.ibm.com/developerworks/library/l-keyc.html
about openSSH key management. This is part 1 of 3. Interesting stuff.
Greetz,
Gert Caers aka zonderH
----- Original Message -----
From: "Kevin Donnelly"
man pages at the moment, in between deep gulps of breath!
Make sure that the permissions on the target's authorized_keys and identity file are 600 or 400,and that the permissions on the target's .ssh are 700. Those should take care of the most paranoid /etc/ssh/sshd_config.
This is very useful - thanks. I will try this, and some ssh-agent experiments.
If you can read /etc/ssh/sshd_config on the target machine, it may be helpful.
The site is on a virtual host, and this file isn't available.
In the meantime, I've got the problem that the ssh login keeps kindly presenting me with a shell prompt, so of course the rest of the script doesn't execute. What's the best way of getting the script to ignore it and go on to run a shell command directly?
I've tried sending the login to /dev/null, using && for the next command, putting login and command in brackets, separated by semi-colon, and a few other things in David Tansley's Linux and Unix Shell Programming book, but no luck.
Thanks
Kevin
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
![](https://seccdn.libravatar.org/avatar/362bf3f8deb8b80599333609a2e814ac.jpg?s=120&d=mm&r=g)
Whoever it was who suggested that you make sure to create a passwordless ~/.ssh/identity was smart to think of that. (I had neglected to mention that part of it :)). But if this script is only going to be launched when you're logged in already (i.e., if you'll be launching it manually) then it will inherit your ssh-agent environment variables, and will have appropriate access. Here's the sequence, cut directly out of /etc/profile.local on the computer I'm using: ## if interactive, set up for SSH if [[ $- == *i* ]] && [ ! "$SSH_AUTH_SOCK" ] && [ -d $HOME/.ssh ] \ && type ssh-agent > /dev/null 2>&1; then # The 'trap' command sets us up to automatically clean up the # freshly-started agent when we exit eval $(ssh-agent) && trap 'eval $(ssh-agent -k)' EXIT echo "Type \`\`ssh-add'' in order to set up your SSH client." fi As for Kevin Donnelly wrote:
Yes, I am always asked, but this may be because ssh-agent is not available or not running or not set up on the webserver.
I should explain that the web server knows nothing about ssh-agent. Your local ssh client uses the private key as part of comminication with the remote server, and the remote server doesn't know whether you just typed in the passphrase for that private key, or whether ssh-agent conveniently kept the private key cached for you, or what. It just reads the bits that your ssh client sends it.
I am reading the man pages at the moment, in between deep gulps of breath!
I find it appalling reading. I only dug into the server config file page after my ssh logins broke after an upgrade. O'Reilly and associates has an entire book just on setting up and using SSH. Looks like a couple of hundred pages; I haven't read it, since I had already gotten my configuration (finally) working without it.
In the meantime, I've got the problem that the ssh login keeps kindly presenting me with a shell prompt, so of course the rest of the script doesn't execute. What's the best way of getting the script to ignore it and go on to run a shell command directly?
The shell prompt will confuse almost any program that expects to read something back from the remote shell. Earlier versions (at least until 7.1, maybe 7.2) of SuSE linux came with an /etc/profile that automatically set the prompt (PS1) even if you weren't logged in interactively. This is a Bad Thing. Here's the hack to fix it, again out of my /etc/profile.local. You should put this into your .bashrc on the remote host: ## Non-interactive shells should not have PS1 and PS2 set indiscriminately! if [[ $- != *i* ]]; then unset PS1 PS2 fi
I've tried sending the login to /dev/null, using && for the next command, putting login and command in brackets, separated by semi-colon, and a few other things in David Tansley's Linux and Unix Shell Programming book, but no luck.
You could also use the very useful program ``expect'' to automate the login process. The main disadvantage of doing this in an expect script is that you'll then end up including a cleartext password in the body of the script. Also note that ssh takes a -i option that allows you to use an alternate identity file. So you could have an identity that you use just for the automated script. Good luck! Write back! --Steve Augart
![](https://seccdn.libravatar.org/avatar/ba73b6398a4d87e24ae63f122ba97be0.jpg?s=120&d=mm&r=g)
Hi guys... is there any way to make a jail for a user login ? I mean.. I want to do a "chroot" like to some group of users to allow them to see only some directories... not all... and not allow him to get lower that his home directory... Thanks in advance. bye --ed
![](https://seccdn.libravatar.org/avatar/926aae47e9d1677af3799a66f39f330d.jpg?s=120&d=mm&r=g)
* Linux - User;
Hi guys... is there any way to make a jail for a user login ?
I mean.. I want to do a "chroot" like to some group of users to allow them to see only some directories... not all... and not allow him to get lower that his home directory...
Maybe rbash (restricted bash) can solve your needs -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
![](https://seccdn.libravatar.org/avatar/f425354faf5c60654c7de7e2aa49fb8a.jpg?s=120&d=mm&r=g)
can you expand on that... piet Togan Muftuoglu wrote:
* Linux - User;
on 12 Mar, 2002 wrote: Hi guys... is there any way to make a jail for a user login ?
I mean.. I want to do a "chroot" like to some group of users to allow them to see only some directories... not all... and not allow him to get lower that his home directory...
Maybe rbash (restricted bash) can solve your needs
![](https://seccdn.libravatar.org/avatar/954b393e736a21c306130f9899f147e8.jpg?s=120&d=mm&r=g)
this depends whether you are using ssh or ssh ver 2. if you are using ver 2
then the file with the key is called $HOME/.ssh/authorized_keys2
Cheers
Ray Booysen
----- Original Message -----
From: "Kevin Donnelly"
I want to have a script shift some files from one part of a webserver to another, and it therefore needs to use ssh. I usually login using: ssh -l <username>
and then give the password. I assume it's not possible to do this in the script, so I tried using ssh-keygen to generate a public/private keypair. I then uploaded $HOME/.ssh/identity.pub to $HOME/.ssh/authorized_keys on the webserver. I was under the impression that this would allow login without asking for the password (from the manpage: "After this, the user can log in without giving the password."). But in fact I am still asked for the passphrase. Is this because the user I am locally is different from the user I am on the webserver? Have I missed something out? TIA
Kevin
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
participants (8)
-
Christopher Mahmood
-
Kevin Donnelly
-
Linux - User
-
PR
-
Ray Booysen
-
Steven Augart
-
Togan Muftuoglu
-
zonderH