[lug] Looking for best way to avoid scripting password

HB hbmath at gmail.com
Thu Apr 2 17:11:33 MDT 2009

Chip Atkinson wrote:
> Greetings all,
> I'm trying to figure out the best way to do an rsync based remote backup.
> The final hurdle is how to avoid having my password in the backup script.
> I have sshd configured on the remote host to not allow root logins so I
> set up an ssh tunnel on my local host to go through another port. 
> On the remote host, I start an sshd with a different sshd_config that
> allows root logins.  This sshd listens on a different port that is not
> open on the firewall.
> The only problem is that I need to sudo /usr/sbin/sshd.
> The problem arises when doing the sudo.  I came up with a number of
> solutions but don't know which is best so I thought I'd ask the group.
> 1) Password appears in backup script and is sent to sudo command
> 2) edit /etc/sudoers on remote system to allow the remote user to launch
> sshd
> 3) Put the password on a CD and arrange the external CD player so that the
> CD falls out after the pw is read.
> 4) USB stick, but that's no different than reading a local file really
> I'd like to run nightly backups so #3 is not quite ideal.
> Are there other solutions to my problem that I don't know about or haven't
> thought of?
> Thanks in advance.
> Chip

I've used ssh keys with empty passphrases and then set the 
authorized_hosts file to require the rsync command, restrict host, ssh 
options, etc.

For example ~/.ssh/authorized_keys has this as the line preamble

command="rsync --server --sender -vlDtpr <dir> 
ssh-dss <the ssh key>

the appropriate rsync flags in the command were determined by running

rsync -av -e "ssh -v -v -v" source dest


More information about the LUG mailing list