Re: Securely scripting a remote machine (was Re: VB or c++ call in script)
Re: Securely scripting a remote machine (was Re: VB or c++ call in script)
- Subject: Re: Securely scripting a remote machine (was Re: VB or c++ call in script)
- From: Sander Tekelenburg <email@hidden>
- Date: Tue, 21 Sep 2004 00:26:08 +0200
At 08:46 -0600 UTC, on 2004/09/20, Johnny AppleScript wrote:
> On 04/09/20 3:27 AM, "Sander Tekelenburg" <email@hidden> wrote:
[...]
[ssh's public key encryption + ssh-agent]
>> do shell script "ssh [username]@[IP];[commands]"
>
> I feel pretty foolish for not having actually read the man fully on ssh, but
> instead listened to a *NIX "expert"
Heh, we AS experts can beat any *nix expert anytime ;)
[...]
> To be fair, however, the above described ease is exactly what I need to
> avoid; I'm going to have to find a middle ground where I still have to use a
> password of some kind on each execution, or at least possess one, due to the
> way our labs and clients have access over the LAN/WAN; I (nor others) do not
> always have the luxury of sitting at the same machine, and I cannot just
> grant blanket, no-password trust to every machine.
I'm not sure I understand the problem. This approach may indeed not be ideal
for you. But do understand that this is not "granting no-passphrase trust" at
all. No way.
The way it works is when you ssh into a remote machine, it looks to see if in
your $HOME/.ssh you have a publick key. If so it will respond with a
challenge that only the owner of the secret key can respond to succesfully.
So step one of the security is that the local machine must contain the secret
key. But there's more.
In addition, for the local machine to even attempt to respond to the remote
machine's challenge, *he user must provide the passphrase* for the secret
key. Maybe I didn't spell that out very clearly, because I thought your point
was to avoid just that ;) Therefore I quickly moved on to ssh-agent, which
acts as a kind of keychain so you don't need to provide that passphrase
everytime.
Again, I don't entirely understand your situation, but it sounds to me like
if you want to 'tunnel' AS script through SSH without dealing with an
interactive ssh prompt, but *with* having to provide a passphrase, then all
you need is to do what I suggested earlier, but omitting the extra step of
using ssh-agent.
Just generate a single keypair with ssh-keygen. Have the private key on every
local machine you need it on (and feel safe to have it on! - the only serious
security issue to consider is where you leave your secret key(s)), and have
the public key on any remote machine(s). (Or you could create (and keep track
of ;)) several keypairs.)
[...]
> For reference, part of what we encounter is teaching people to work on and
> with Mac OS X computers [...] Too often they
> have problems [...] it
> would be really quick and simple to be able to quickly log in without
> leaving my desk and do what I know needs to be done remotely, and sometimes
> AS can be a real help with that, too.
If I understand your situation correctly, the above would work but it would
require you to first upload your public key to ~/.ssh/authorized_keys of the
remote account. When you're done you can toss it again if you want. But no
need, it's just your _public_ key. You can tatoo it on your forehead if you
want.
(Just be aware that ~/.ssh/authorized_keys can contain more than just 1 key.
You may not want to delete the entire file on someboedy else's machine. If he
already has that file, you should not simply overwrite it, but add your key
to it (and remove it from it, if you want.) I'm no unix expert ;) but I think
you'd use cat to add, and I-dunno-what to remove from it again :))
--
Sander Tekelenburg, <http://www.euronet.nl/~tekelenb/>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Applescript-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden