On 14 September 2018 at 17:01, James Moe <jimoe@xxxxxxxxxxxxxx> wrote: > On 09/13/2018 07:54 PM, Darren Tucker wrote: > >> I'd guess that the reason it doesn't work is that the key is encrypted >> and neither the agent nor a tty to ask for the decryption passphrase >> is available. Try repeating your command line test after unsetting >> SSH_AUTH_SOCK >> > Okay. That reproduced the issue. > Is there a recommended way to provide the decryption passphrase? it's possible but tricky by writing a custom SSH_ASKPASS program, but that doesn't buy you much over having the key unencrypted (ie both the key and the passphrase needed to decrypt it have to readable by your user). Other than that, the options are: - starting an ssh-agent specifically for you cron job, loading the key and arranging for you cron job to have SSH_AUTH_SOCK pointing to that agent's socket. The down side is you'll need human intervention after a restart. - use a key without a passphrase and set a key restriction on the server (from=[ip address], see sshd(8)) to make sure it can only be used from where it's intended (not perfect, but it's better than nothing). - set up HostBasedAuthentication instead (you'll also need to enable EnableSSHKeysign in ssh_config on the client). -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev