[lug] Looking for best way to avoid scripting password

Chip Atkinson chip at pupman.com
Thu Apr 2 20:13:00 MDT 2009


Wow, thanks.  I'm really glad I asked on the list here.

On Thu, 2 Apr 2009, HB wrote:

> Chip Atkinson wrote:
> > Greetings all,
> > 
> > I'm trying to figure out the best way to do an rsync based remote backup.
> > The final hurdle is how to avoid having my password in the backup script.
> > 
> > I have sshd configured on the remote host to not allow root logins so I
> > set up an ssh tunnel on my local host to go through another port. 
> > 
> > On the remote host, I start an sshd with a different sshd_config that
> > allows root logins.  This sshd listens on a different port that is not
> > open on the firewall.
> > 
> > The only problem is that I need to sudo /usr/sbin/sshd.
> > 
> > The problem arises when doing the sudo.  I came up with a number of
> > solutions but don't know which is best so I thought I'd ask the group.
> > 1) Password appears in backup script and is sent to sudo command
> > 2) edit /etc/sudoers on remote system to allow the remote user to launch
> > sshd
> > 3) Put the password on a CD and arrange the external CD player so that the
> > CD falls out after the pw is read.
> > 4) USB stick, but that's no different than reading a local file really
> > 
> > I'd like to run nightly backups so #3 is not quite ideal.
> > 
> > Are there other solutions to my problem that I don't know about or haven't
> > thought of?
> > 
> > Thanks in advance.
> > 
> > Chip
> 
> 
> I've used ssh keys with empty passphrases and then set the 
> authorized_hosts file to require the rsync command, restrict host, ssh 
> options, etc.
> 
> For example ~/.ssh/authorized_keys has this as the line preamble
> 
> command="rsync --server --sender -vlDtpr <dir> 
> <dir2>",from="trusted_host",no-port-forwarding,no-X11-forwarding,no-pty 
> ssh-dss <the ssh key>
> 
> 
> the appropriate rsync flags in the command were determined by running
> 
> rsync -av -e "ssh -v -v -v" source dest
> 
> Hugh
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> 




More information about the LUG mailing list