[lug] Looking for best way to avoid scripting password

[Alexander Vallens]

Hi Chip,
 
Maybe I'm barking down the wrong tree, but what if you just used the 'NOPASSWD' option in your sudoers file (see `man sudoers`)?
username      hostname = NOPASSWD: /usr/sbin/sshd
 
Of course, this would mean access to login as this user would need to be controlled, but I think a sufficiently secure password for that user (say 15+ chars auto-generated with special characters) and key-based authentication ONLY on the system should take care of that.
 
Alexander


>>> On 4/2/2009 at 2:27 PM, Chip Atkinson <chip at pupman.com> wrote:

Greetings all,

I'm trying to figure out the best way to do an rsync based remote backup.
The final hurdle is how to avoid having my password in the backup script.

I have sshd configured on the remote host to not allow root logins so I
set up an ssh tunnel on my local host to go through another port. 

On the remote host, I start an sshd with a different sshd_config that
allows root logins.  This sshd listens on a different port that is not
open on the firewall.

The only problem is that I need to sudo /usr/sbin/sshd.

The problem arises when doing the sudo.  I came up with a number of
solutions but don't know which is best so I thought I'd ask the group.
1) Password appears in backup script and is sent to sudo command
2) edit /etc/sudoers on remote system to allow the remote user to launch
sshd
3) Put the password on a CD and arrange the external CD player so that the
CD falls out after the pw is read.
4) USB stick, but that's no different than reading a local file really

I'd like to run nightly backups so #3 is not quite ideal.

Are there other solutions to my problem that I don't know about or haven't
thought of?

Thanks in advance.

Chip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20090402/521d6ee5/attachment.html>