[lug] Looking for best way to avoid scripting password

Chip Atkinson chip at pupman.com
Thu Apr 2 14:27:40 MDT 2009


Greetings all,

I'm trying to figure out the best way to do an rsync based remote backup.
The final hurdle is how to avoid having my password in the backup script.

I have sshd configured on the remote host to not allow root logins so I
set up an ssh tunnel on my local host to go through another port. 

On the remote host, I start an sshd with a different sshd_config that
allows root logins.  This sshd listens on a different port that is not
open on the firewall.

The only problem is that I need to sudo /usr/sbin/sshd.

The problem arises when doing the sudo.  I came up with a number of
solutions but don't know which is best so I thought I'd ask the group.
1) Password appears in backup script and is sent to sudo command
2) edit /etc/sudoers on remote system to allow the remote user to launch
sshd
3) Put the password on a CD and arrange the external CD player so that the
CD falls out after the pw is read.
4) USB stick, but that's no different than reading a local file really

I'd like to run nightly backups so #3 is not quite ideal.

Are there other solutions to my problem that I don't know about or haven't
thought of?

Thanks in advance.

Chip




More information about the LUG mailing list