[lug] Looking for best way to avoid scripting password

Dallas Masters dallas.masters at gmail.com
Thu Apr 2 18:04:08 MDT 2009 

I'd suggest using ssh keys WITH passphrases and then using keychain to keep 
from typing in the passphrase.  This works well even for regular ssh, scp, 
etc.

Dallas

On 2009-04-02, HB wrote:
> Chip Atkinson wrote:
> > Greetings all,
> >
> > I'm trying to figure out the best way to do an rsync based remote backup.
> > The final hurdle is how to avoid having my password in the backup script.
> >
> > I have sshd configured on the remote host to not allow root logins so I
> > set up an ssh tunnel on my local host to go through another port.
> >
> > On the remote host, I start an sshd with a different sshd_config that
> > allows root logins.  This sshd listens on a different port that is not
> > open on the firewall.
> >
> > The only problem is that I need to sudo /usr/sbin/sshd.
> >
> > The problem arises when doing the sudo.  I came up with a number of
> > solutions but don't know which is best so I thought I'd ask the group.
> > 1) Password appears in backup script and is sent to sudo command
> > 2) edit /etc/sudoers on remote system to allow the remote user to launch
> > sshd
> > 3) Put the password on a CD and arrange the external CD player so that
> > the CD falls out after the pw is read.
> > 4) USB stick, but that's no different than reading a local file really
> >
> > I'd like to run nightly backups so #3 is not quite ideal.
> >
> > Are there other solutions to my problem that I don't know about or
> > haven't thought of?
> >
> > Thanks in advance.
> >
> > Chip
>
> I've used ssh keys with empty passphrases and then set the
> authorized_hosts file to require the rsync command, restrict host, ssh
> options, etc.
>
> For example ~/.ssh/authorized_keys has this as the line preamble
>
> command="rsync --server --sender -vlDtpr <dir>
> <dir2>",from="trusted_host",no-port-forwarding,no-X11-forwarding,no-pty
> ssh-dss <the ssh key>
>
>
> the appropriate rsync flags in the command were determined by running
>
> rsync -av -e "ssh -v -v -v" source dest
>
> Hugh
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug



-- 
Dallas Masters
PO BOX 732
Nederland, CO
1-303-258-7037

More information about the LUG mailing list