[lug] Looking for best way to avoid scripting password
chip at pupman.com
Thu Apr 2 20:13:00 MDT 2009
Wow, thanks. I'm really glad I asked on the list here.
On Thu, 2 Apr 2009, HB wrote:
> Chip Atkinson wrote:
> > Greetings all,
> > I'm trying to figure out the best way to do an rsync based remote backup.
> > The final hurdle is how to avoid having my password in the backup script.
> > I have sshd configured on the remote host to not allow root logins so I
> > set up an ssh tunnel on my local host to go through another port.
> > On the remote host, I start an sshd with a different sshd_config that
> > allows root logins. This sshd listens on a different port that is not
> > open on the firewall.
> > The only problem is that I need to sudo /usr/sbin/sshd.
> > The problem arises when doing the sudo. I came up with a number of
> > solutions but don't know which is best so I thought I'd ask the group.
> > 1) Password appears in backup script and is sent to sudo command
> > 2) edit /etc/sudoers on remote system to allow the remote user to launch
> > sshd
> > 3) Put the password on a CD and arrange the external CD player so that the
> > CD falls out after the pw is read.
> > 4) USB stick, but that's no different than reading a local file really
> > I'd like to run nightly backups so #3 is not quite ideal.
> > Are there other solutions to my problem that I don't know about or haven't
> > thought of?
> > Thanks in advance.
> > Chip
> I've used ssh keys with empty passphrases and then set the
> authorized_hosts file to require the rsync command, restrict host, ssh
> options, etc.
> For example ~/.ssh/authorized_keys has this as the line preamble
> command="rsync --server --sender -vlDtpr <dir>
> ssh-dss <the ssh key>
> the appropriate rsync flags in the command were determined by running
> rsync -av -e "ssh -v -v -v" source dest
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
More information about the LUG