[lug] Looking for best way to avoid scripting password

[HB]

Chip Atkinson wrote:
> Greetings all,
> 
> I'm trying to figure out the best way to do an rsync based remote backup.
> The final hurdle is how to avoid having my password in the backup script.
> 
> I have sshd configured on the remote host to not allow root logins so I
> set up an ssh tunnel on my local host to go through another port. 
> 
> On the remote host, I start an sshd with a different sshd_config that
> allows root logins.  This sshd listens on a different port that is not
> open on the firewall.
> 
> The only problem is that I need to sudo /usr/sbin/sshd.
> 
> The problem arises when doing the sudo.  I came up with a number of
> solutions but don't know which is best so I thought I'd ask the group.
> 1) Password appears in backup script and is sent to sudo command
> 2) edit /etc/sudoers on remote system to allow the remote user to launch
> sshd
> 3) Put the password on a CD and arrange the external CD player so that the
> CD falls out after the pw is read.
> 4) USB stick, but that's no different than reading a local file really
> 
> I'd like to run nightly backups so #3 is not quite ideal.
> 
> Are there other solutions to my problem that I don't know about or haven't
> thought of?
> 
> Thanks in advance.
> 
> Chip


I've used ssh keys with empty passphrases and then set the 
authorized_hosts file to require the rsync command, restrict host, ssh 
options, etc.

For example ~/.ssh/authorized_keys has this as the line preamble

command="rsync --server --sender -vlDtpr <dir> 
<dir2>",from="trusted_host",no-port-forwarding,no-X11-forwarding,no-pty 
ssh-dss <the ssh key>


the appropriate rsync flags in the command were determined by running

rsync -av -e "ssh -v -v -v" source dest

Hugh