I'm trying to setup keys so that I can have an automatic backup job without password prompts, but I ran into issues. Now it just asks for the pass phrase, so I'm back to square one.... sure I can enter no passphrase but that defeats the whole purpose of security, anyone else can just do ssh-keygen with no passphrase then get on my server.

Also I noticed when I setup key pair then that client can connect to that server and only that server. If I try to connect to another server I get immediatly:

Received disconnect from [host]: 2: Too many authentication failures for [user]

1: So... how do I make the key thing not stop from connecting to other servers? It's retarded if it makes it so I can only connect to one server...

2: How do I make it enter the passphrase automaticly, but still keep security?


Also if I want to be able to set this up for more then one server to connect to, how do I go about doing it? Since I can't enter my own key file, it has to be ~/.ssh/id_rsa so how do I make another pair? Does it just append to those files? or would I reuse the same public key and put on the other servers I want to access?

Decided to use expect instead, been playing with it and it does what I want. Will just be tedious as I need to create an expect script AND backup script for a single job but what I'm doing is writing a C++ program that will take an argument for a job profile and read the info from a text file then generate the required bash/expect scripts, execute them, then delete them. I could probably even go a step further and make it support a basic custom encryption for the password.

The public key stuff was making me nervous anyway, too much obscurity and possibility of a security issue due to something I don't know about.

The passphrase protects the secret key on the client. Without it the secret key is locked (encrypted). You will need it for all of the servers you connect it to. All of the servers should have the same copy of your public key added to their authorized_keys file.

There is a program called "ssh-agent" that can hold your passphrase. You can run it at the beginning of a session like this:
eval $(ssh-agent)
ssh-add
<passphrase is entered>

Now you can connect to an ssh server without re-entering the pass phrase each time. There is also a key ring program as well. It may work better for hands off automation.

You might need to run ssh-keygen to delete the passphrase for automation. The security you will lose is in protecting the secret key on your client. Otherwise you may need to re-enter the passphrase whenever the computer reboots; and keeping the passphrase in a file or script wouldn't be any more secure then the secret key itself.

---

Rereading what I wrote, I'm not certain if I made something clear. From the servers point of view, the same thing happens whether you use a passphrase or not. The pass-phrase is used on the client side only. It is the possession of the secret key that provides the security. The client needs to use the secret key to decrypt a challenge by the server using the public key.

----

I don't know why you need to write a C++ program to perform a backup. That's what cron is for. Also designing you own encryption scheme, in the end may be more vulnerable then using one that cryptographic experts have designed. Remember WEP. WEP stood for Wired Equivalence Protocol, but written by engineers instead of cryptographers, turned out to be very weak.