On 02/11/06, Will McDonald <wmcdonald at gmail.com> wrote: > On 02/11/06, Marc <wia at iglass.net> wrote: > > hey Will, > > Hi Marc, thanks for responding. > > > We don't use keychain, but we do use Net::SSH::Perl through apache > > on CentOS and RHEL. > > The reason I'm using Keychain is to provide passwordless > authentication whilst still having passworded private keys, if you can > see where I'm coming from. > > > Couple questions. Can you become the apache user and manually > > ssh into cgissh at target with/without a password? If so can you > > manually run your script outside of apache? No group or other write > > permission set on any of the directories above your keys? Anything > > in syslog on the ssh server side concerning why permission was > > denied? Update: I've just tried removing the passphrase from the private key and now Net::SSH::Perl is happily reading it and using it to authenticate so now I suppose the questions is can I use it with a passworded private key... [apache at webdev1 .ssh]$ ssh-keygen -f id_dsa -p Enter old passphrase: Key has comment 'id_dsa' Enter new passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved with the new passphrase. Compare passwordless log excerpt: [Thu Nov 02 14:48:54 2006] [error] [client 192.168.24.111] webdev1: Trying empty user-authentication request. [Thu Nov 02 14:48:54 2006] [error] [client 192.168.24.111] webdev1: Authentication methods that can continue: publickey,keyboard-in teractive. [Thu Nov 02 14:48:54 2006] [error] [client 192.168.24.111] webdev1: Next method to try is publickey. [Thu Nov 02 14:48:54 2006] [error] [client 192.168.24.111] webdev1: Trying pubkey authentication with key file '/var/www/.ssh/id_ds a' [Thu Nov 02 14:49:00 2006] [error] [client 192.168.24.111] webdev1: Login completed, opening dummy shell channel. [Thu Nov 02 14:49:00 2006] [error] [client 192.168.24.111] webdev1: channel 0: new [client-session] With passworded: [Wed Nov 01 17:12:18 2006] [error] [client 192.168.24.111] webdev1: Authentication methods that can continue: publickey,keyboard-in teractive. [Wed Nov 01 17:12:18 2006] [error] [client 192.168.24.111] webdev1: Next method to try is publickey. [Wed Nov 01 17:12:18 2006] [error] [client 192.168.24.111] webdev1: Trying pubkey authentication with key file '/var/www/.ssh/id_ds a' [Wed Nov 01 17:12:18 2006] [error] [client 192.168.24.111] webdev1: Will not query passphrase for '/var/www/.ssh/id_dsa' in batch m ode. [Wed Nov 01 17:12:18 2006] [error] [client 192.168.24.111] webdev1: Loading private key failed. [Wed Nov 01 17:12:18 2006] [error] [client 192.168.24.111] Permission denied at ~/cgi-bin/perl-net-ssh-p erl-test.pl line 18 I wonder, if I _force_ it out of batch mode, but with a passworded key... nope, that's obviously being interpreted as "should be run in interactive mode" and is erroring. So I guess the question is, how to I get Net::SSH::Perl to source keys from a running ssh-agent as I don't want to have passwordless private keys involved if I can avoid it. Will.