Personally I use ssh-agent. You basically type in the passphrase once when you start it up and add keys. Then you make sure your script has the ssh-agent specific environment variables set. You can do this by storing the output of ssh-agent when you first start it up in a file and then reference it when you run a script. This works flawlessly with cron.
It's a little bit of a security trade-off because anyone who can become the user who is running ssh-agent (like root) on that host can use your keys to access other machines. But, they can't copy your keys to another machine and use them because they still have a passphrase set on them. Can someone grab a snapshot of the memory space of your ssh-agent process and extract your unencrypted key? Probably, but it's not trivial.
As with all methods of authentication, there is some ultimate level of trust required.
Also, I have no idea if ssh-agent works with the all-perl implementation Net::SSH::Perl. Although I faintly remember testing this and succeeding, but it was a long time ago and I've long since lost the code. Should work okay with Net::SSH as it is a wrapper around the ssh binaries who will automatically pick up on the existence of the ssh-agent process.
|