On Wed, 21 May 2008, David Rosenstrauch wrote: > I've been using ssh with a cron job to do backups for quite a while > now. But I'm realizing that the way I've been doing it (i.e., > having the cron job ssh in using a key without a passphrase) is > rather insecure. So I've been looking into ways to make the setup > more secure by integrating a passphrase into the mix. If the goal is to allow your cron job to be able to login, then there is absolutely no point in "integrating a passphrase into the mix". Simply make you keyfile non-readable by non-intended uids. Think about you threat model: if you fear that somebody can gain root access to your server and read your keyfile, then they can as well get the key and cached passphrase (or something equivalent to it) and thus you do not gain any security. In other words, if you cannot imagine any reasonable scenario where keyfile with cached passphrase prevent an attack, then don't bother to use a passphrase. -- Regards, ASK
