Normally you generate a key-pair that has no passphrase. A passphrase thats coded into your perl script is no more secure than having none at all.

Personally I use ssh-agent. You basically type in the passphrase once when you start it up and add keys. Then you make sure your script has the ssh-agent specific environment variables set. You can do this by storing the output of ssh-agent when you first start it up in a file and then reference it when you run a script. This works flawlessly with cron.

It's a little bit of a security trade-off because anyone who can become the user who is running ssh-agent (like root) on that host can use your keys to access other machines. But, they can't copy your keys to another machine and use them because they still have a passphrase set on them. Can someone grab a snapshot of the memory space of your ssh-agent process and extract your unencrypted key? Probably, but it's not trivial.

As with all methods of authentication, there is some ultimate level of trust required.

Also, I have no idea if ssh-agent works with the all-perl implementation Net::SSH::Perl. Although I faintly remember testing this and succeeding, but it was a long time ago and I've long since lost the code. Should work okay with Net::SSH as it is a wrapper around the ssh binaries who will automatically pick up on the existence of the ssh-agent process.

What eclark says is the general solution, but recently I stumbled upon Keychain:

... a front-end to ssh-agent, allowing you to easily have one long-running ssh-agent process per system, rather than per login session. This dramatically reduces the number of times you need to enter your passphrase from once per new login session to once every time your local machine is rebooted.

More details are included at the link above (including security concerns), but it would allow a process (they give the example of cron, but any process should work) to use certain keys without having to know the passphrase.

You might consider this, as it would appear to be much more secure than a passphrase-less key.

I never understood the novelty of Keychain. It just seemed like a fancy way of going:

ssh-agent >.ssh-agent 
. .ssh-agent
ssh-add
[download]

and then running

. .ssh-agent
[download]

Everytime you login or start a job in cron. I guess keychain is slightly smarter than that. Only slightly...only slightly... I guess if I were actually using ssh-agent for my own regular logins it could help, but here it is reserved for cronjobs on servers that rarely get logged into let alone rebooted.

Cheers

I agree with you; it's really just a slightly better implementation of that above by making the process easier. I don't actually use it myself, even though I do use ssh-agent for my regular logins. *shrugs*