From owner-freebsd-questions Tue Feb 8 19:36:46 2000 Delivered-To: freebsd-questions@freebsd.org Received: from cx952600-a.fed1.sdca.home.com (cx952600-a.fed1.sdca.home.com [24.4.90.90]) by builder.freebsd.org (Postfix) with ESMTP id 6CC8446DB for ; Tue, 8 Feb 2000 15:46:18 -0800 (PST) Received: from localhost (snoonan@localhost) by cx952600-a.fed1.sdca.home.com (8.9.3/8.9.3) with ESMTP id PAA05691; Tue, 8 Feb 2000 15:45:43 -0800 (PST) (envelope-from snoonan@cx952600-a.fed1.sdca.home.com) Date: Tue, 8 Feb 2000 15:45:43 -0800 (PST) From: Sean Noonan To: questions@freebsd.org Cc: noonans@home.com Subject: Best Practices question - ssh Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi List: The last issue of the Daemon News had an article about using MRTG to graph, amongst other things, CPU usage. The script used Perl to parse the output from the uptime command. I'm trying to extend that concept to graph CPU usage on another, remote host. I figured the shell script I need to make would be almost identical to the one presented in the Daemon News article, perhaps with some logging-in commands to the remote host. I want to do this securely, so have ruled out rlogin, rshell, etc. and have ruled in ssh. Here's the questions I have so far: 1. The only way I seem to be able to get ssh authentication to proceed in a shell script (e.g., without prompting for a password or a passphrase) is to have a "passphraseless" account. Isn't this inherently insecure? Isn't there a better way? What is it? 2. The cron job that runs the MRTG scripts every 5 minutes is run as root. Will this present additional problems authenticating without a passphrase? Is it even allowed? As an analogy, I can't ftp to my box as root, but normal user accounts can ftp 'till the cows come home (a "NOROOT" parameter rings a small bell). Is there a better way, say running the cron job as a different user? Or perhaps breaking apart the script into two seperate cron jobs, and only have the remote authentication portion run under the new userid? Both machines are 3.4-STABLE, running OpenSSH from the ports collection... Thanks as always, -Sean Noonan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message