If you are running Nepenthes hosts in a Group you might want to have a central Malware-Database to sync with. To save Bandwith while synchronizing the files you might want to use rsync. If you do not want to provide those files to some bad users sniffing your traffic, it would be a good idea encrypting it by using an ssh tunnel. If you are doing your transfer by hand it should not be that hard to enter a password. But in dealing with cron scripts? There is a solution to this problem, and it begins with public key authentication.
How does public key authentication work? Assume you want to connect to a server via ssh. First you have to generate a key pair and give the public key to the server. Afterwards, whenever the you attempt to connect, the server sends a challenge which is encrypted with your public key. Only you with your private key are able to decrypt the request and complete the authentication.
First, you need to create your key pair. This can be done with ssh-keygen if running on *nix flavoured systems - command as follows:
ssh-keygen -t dsa -b 1024
This command creates two keys by using the dsa-cipher and 1024 bit.
Your keys will be saved in ~/.ssh/id_dsa and ~/.ssh/id_dsa.pub
From the man-pages of ssh-keygen:
-t type
Specifies the type of key to create. The possible values are
'rsa1' for protocol version 1 and 'rsa' or 'dsa' for proto-
col version 2.
-b bits
Specifies the number of bits in the key to create. Minimum is
512 bits. Generally, 1024 bits is considered sufficient. The
default is 1024 bits.
The public key file ~/.ssh/id_dsa.pub is the file needed by the server for our authentication. The server keeps a file for each user, ~/.ssh/authorized_keys which can contain several keys.
Here is a brief example how I would do the transfer:
scp ~/.ssh/id_dsa.pub server_user@server:~/myhost.pub
ssh server_user@server "cat ~/myhost.pub >> ~/.ssh/authorized_keys"
ssh server_user@server "cat ~/.ssh/authorized_keys"
So far the theory - we should now be able to get ssh access without a password on the server now. The only passphrase we are asked about now is the password for the key which needs to be decrypted - if you entered one while generation. But this is not suitable yet for cronscripts. That is the time when ssh-agent enters the stage:
ssh-agent is usually started at the beginning X sessions, or from shell startup scripts like ~/.bash_profile. On ssh-agent startup, it should tell you the PID of the running ssh-agent, and setup some environment variables (SSH_AUTH_SOCK and SSH_AGENT_PID). Your private Key - if stored in ~/.ssh/id_dsa - will be loaded automatically. If you need to add some more keys, feel free to add them by typing
ssh-agent /path/to/keyfile
The SSH agent should ask you for the password if you got your key encrypted. Since now you should be able to log in without a password, because your key is already decrypted by the agent.
