[lug] Looking for best way to avoid scripting password

Chip Atkinson chip at pupman.com
Thu Apr 2 20:02:58 MDT 2009


Hi Alexander.  

Thanks for that idea.  I just looked at
http://www.linux.com/feature/34958
and it looks like a good(ish?) idea is to disable the password for that
account but then set the NOPASSWD option in the sudoers file.

Chip

On Thu, 2 Apr 2009, Alexander Vallens wrote:

> Hi Chip,
>  Maybe I'm barking down the wrong tree, but what if you just used the
> 'NOPASSWD' option in your sudoers file (see `man sudoers`)? username
> hostname = NOPASSWD: /usr/sbin/sshd
>  Of course, this would mean access to login as this user would need to
> be controlled, but I think a sufficiently secure password for that
> user (say 15+ chars auto-generated with special characters) and
> key-based authentication ONLY on the system should take care of that.
>  
> Alexander
> 
> 
> >>> On 4/2/2009 at 2:27 PM, Chip Atkinson <chip at pupman.com> wrote:
> 
> Greetings all,
> 
> I'm trying to figure out the best way to do an rsync based remote backup.
> The final hurdle is how to avoid having my password in the backup script.
> 
> I have sshd configured on the remote host to not allow root logins so I
> set up an ssh tunnel on my local host to go through another port. 
> 
> On the remote host, I start an sshd with a different sshd_config that
> allows root logins.  This sshd listens on a different port that is not
> open on the firewall.
> 
> The only problem is that I need to sudo /usr/sbin/sshd.
> 
> The problem arises when doing the sudo.  I came up with a number of
> solutions but don't know which is best so I thought I'd ask the group.
> 1) Password appears in backup script and is sent to sudo command
> 2) edit /etc/sudoers on remote system to allow the remote user to launch
> sshd
> 3) Put the password on a CD and arrange the external CD player so that the
> CD falls out after the pw is read.
> 4) USB stick, but that's no different than reading a local file really
> 
> I'd like to run nightly backups so #3 is not quite ideal.
> 
> Are there other solutions to my problem that I don't know about or haven't
> thought of?
> 
> Thanks in advance.
> 
> Chip
> 




More information about the LUG mailing list