The Joyent Community

Hi,

I have tried this, but now I need to enter my passphrase for my key everytime I try an operation. I'm pretty new to this whole ssh/rsync/keygen type thingy, so be gentle!

Thanks.

Sorry Koz ... basic info left out. OSX 10.4

I'll look at keychain

Cheers,

hey, thanks for the hints here everyone. All of this works wonderfully as long as you've done the keygen.

JackSim wrote:

Code:

ssh-keygen -P "" -t dsa

Then just press Enter when asked in what file you want to save the key.

Bad move. Majorly insecure. For a more reasonable point on the easy-to-use to secure scale, use the above referenced SSHKeychain, or, in a more portable manner, Keychain (regardless of your platform, you should read the referenced articles on IBM's developerWorks, especially the second one).

From what I understand, the security concern has to do with someone getting a hold of your private key. If no passphrase was used to encrypt it, then they can access any site (e.g. StrongSpace) which requires that key. If a passphrase was used, then the key is useless without it.

Since all the files I put on StrongSpace reside on the same system where I keep my private key, there's no reason for me to use a passphrase. If someone can grab my private key then they already have access to my files. :)

There's a whole 'nother problem if you start to use password protected keys when executing from a cron job. SSHKeychain doesn't seem to handle that case. Any ideas how that can be solved so that there is a password protected key running from a users crontab?

http://www.jdmz.net/ssh/ seems to solve that problem quite nicely (by restricting what a password less key can do on the remote system) Any chance of having Strongspace implement something similar?

jc

Kyle,

Could you detail that setup for us?

jordan

I'll make the assumption that everyone has rsync working the way they like it and that automating the whole process would be the place to start explaining how I set everything up. I'm also writing this as a sort of mini-tutorial for anyone who hasn't tried something like this before.

First, begin with generating keys using ssh-keygen. I went with an rsa key, but dsa is fine too. Open up terminal and type "ssh-keygen -t rsa -b 1024 -f ~/rsa_strongspace". You'll be prompted to enter a passphrase. This can be different than your normal strongspace password if you like, but remember it because you will need it again a little later on. Anyway, you should get something similar to the following:

.

Now you've got a public and private key pair in your home directory; rsa_strongspace and rsa_strongspace.pub. First, rename "rsa_strongspace.pub" to "authorized_keys". Use the Finder or just run "mv ~/rsa_strongspace.pub ~/authorized_keys" in the terminal. Next, move the authorized_keys file into your strongspace account. Login to your account using a web browser, create a folder called ".ssh", and upload the authorized_keys file into that folder. You want something that ends up like this:

.

You can leave rsa_strongspace in it's current location on your hard drive or move it into a more suitable place. I would recommend running "mv ~/rsa_strongspace ~/.ssh/rsa_strongspace" in the terminal. This will place the key with any other ssh keys you may currently have.

Next up, downloading and installing SSHKeychain. I don't remember if there's any initial configuation during the install, but it shouldn't be too hard if there is. I'll go over the bulk of the configuration in a moment. But first, you should tell your mac to run SSHKeychain at startup; otherwise you'll have to call it yourself everytime you start the OS. In system preferences, under the heading "System", there is an icon labeled "Accounts". Click, select your username, click on the tab "Login Items", and add SSHKeychain to the list.

.

You may want to restart at this point to make sure everything is working properly. If not, continue on.

It's time to configure SSHKeychain. If it's not already started, you should do that now. Click on the program icon which should either be in the status bar or the dock and select preferences. Choose the "SSH Keys" tab and click the "+" button to add the location of the file you created a few minutes ago called "rsa_strongspace". Next, choose the "Security" tab. Use custom security with the following settings:

On Keychain Events: Both
On Screensaver: No action
On System Sleep: No action
Sleep time-out: 0 min
Add all keys to the agent when a client connects: (checked)
Ask for confirmation before allowing access to the agent: (not checked)

NOTE These are the settings that work for me. If you don't agree with my configuration, feel free to make your own choices. However, things may not work properly if you do. I'm also including screenshots of the other preference tabs so the everyone can see the settings that I use. If you have a configuration that increases security or ease of use, please let me know.

.
.
.
.
.
.

That should do it for SSHKeychain. Let's move on to Keychain Access. It can be found under the "Applications > Utilities" folder. The new key you are making should be part of the "login" keychain. This means that when you login to the OS with your username you unlock the keychain, and depending on your preferences, programs may have access to the information the Keychain holds. To make sure you're creating a new password on the "login" keychain, see if "login" is highlighted in the upperleft most window of Keychain Access. Then, choose "File > New Password Item" and use the following information:

Keychain Item Name: SSHKeychain
Account Name: location of the key file ie.) /Users/YOUR-USER-NAME/.ssh/rsa_strongspace
Password: the password you used when creating the key with ssh-keygen

When you're done, double-click on the newly made entry in the main Keychain Access window and verify that all the data found under the "Attributes" tab is correct. Under the "Access Control" tab, select the option that says "Confirm before allowing access". Click on the "+" buttton and add SSHKeychain as an application that can access this entry without confirmation.

.
.

Before getting into scheduling, you might want to make sure that everything works up to this point. Click on SSHKeychain in the status bar and choose Agent > Remove all keys. You'll notice that if the icon usually shows keys and a ring, it is now only showing keys. Open up terminal and make a call to rsync like you normally would. If everything goes as expected, you should not be prompted for a password. Also, notice that the ring has returned to the keys on SSHKeychain's status bar icon. The call to rsync prompted SSHKeychain to add the key in rsa_strongspace to it's list of managed keys and ask Keychain Access for it's passphrase without any user intervention.

The last step in this process is to have the OS call rsync automatically at some user defined interval. This should be possible using a variety of tools, including cron and even iCal. This mini-tutorial uses launchd, Apple's replacement for an assortment of unix programs that typically handle scheduling. Launchd uses xml to spell out the details of how, when and why programs will run. The OS reads this data from a file known as a plist. The plist I have created to run rsync looks like this:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

    <key>Label</key>
    <string>com.lonelycomputer.rsync</string>
    <key>OnDemand</key>
    <true/>
    <key>ProgramArguments</key>
    <array>
        <string>rsync</string>
        <string>-azLRK</string>
        <string>--copy-unsafe-links</string>
        <string>--stats</string>
        <string>/Users/kyle/Strongspace/</string>
        <string>kyle@kyle.strongspace.com:/home/kyle/mac_backup/</string>
    </array>
    <key>ServiceDescription</key>
    <string>Rsync with remote machine at startup and every 12 hours.</string>
    <key>StandardErrorPath</key>
    <string>/Users/kyle/Library/Logs/rsync_err</string>
    <key>StandardOutPath</key>
    <string>/Users/kyle/Library/Logs/rsync_out</string>
    <key>StartInterval</key>
    <integer>43200</integer>

</dict>

</plist>

Feel free to modify this file in any way you see fit. For more info on plists, visit apple's developer site.

The best place to start modifying this file is by changing the ProgramArguments array to reflect the call to rsync that you make. Everytime there would normally be a space you should wrap string tags around that text. You cannot use spaces within a string tag as this will cause errors. Also, you might want to modify the StringInterval key. Launchd measures time in seconds only, so you'll have to do the multiplication.

You should save launchd plists in /Users/YOUR-USER-NAME/Library/LaunchAgents/. That folder may not exist in your directory structure; if not, simply create it. You need to name the file something.plist, where something is the same value found in the plist file under the "Label" key. You should use the reverse domain format; in my file I use "com.lonelycomputer.rsync" as my label, so my file is called "com.lonelycomputer.rsync.plist". Again, feel free to change this, just make sure that the names match up. Now, all that's left to do is to tell the OS to load this file. Open up terminal again, and run "launchctl load ~/Library/LaunchAgents/NAME-OF-FILE". For example, I run "launchctl load ~/Library/LaunchAgents/com.lonelycomputer.rsync.plist". You can run "launchctl list" whenever to verify that the plist is loaded.

That's it. Please let me know if you spot any errors in the directions I've provided, if you need some help, or if you know of a better way to perform any of the procedures.

Last edited by kyle.obrien (2005-10-09 01:02:35)

Fixed.

The screenshots I took don't seem to be showing up for some reason. They're over at my site if anyone is interested.

kyle

Last edited by kyle.obrien (2005-10-09 01:06:32)

I seem to have everything working but no matter what I do I still get prompted for a password. (Note: I'm trying to Rsync with TextDrive, not Strongspace).

I figured it out, I had generated and uploaded the keys with the KB article instructions, which are not as clear as the ones here. These work great! Thanks.

(I had mistakenly placed my key in an "authorized_key" directory rather than naming the file with that name.)

Last edited by Luhmann (2005-10-22 22:19:56)

deirdre wrote:

Ahh, good to know. I don't use passwordless keys outside my home network.

Yes, I do have a password set BTW.