Using SSH RSA Keys Securely
I use non-password protected keys for scripted scp/ssh use. It's the only way to do it, IMO. There are a few things I do to keep them safe:
- Keep only one copy of the private key. It only has to reside on the machine the connection is originating from. The target machine only needs the public key.
- Use the option in the authorized_keys file to limit the use of the key. The most basic option is host=.. which restricts the origin host (use an IP if you can, not a host name, as host names can be faked by faking DNS info).
- Even better, use the option to start the script. You can specify a script that will be started if a certain key is used.
- And of course, limit access for the user that is identified by the key. It may be worthwhile to add a special userid for this that has only access to certain files.
Here an example of an authorized_key entry that limits access to one IP address:
from="1.2.3.4" 1024 37 152...(abbreviated)..8541 keyname
Basically: just copy the public key file to authorized_key
as usual, then preceed the line with from="IP-address".
Wildcards are allowed.
Thanks to Johannes Ullrich