[lug] Looking for best way to avoid scripting password

Chip Atkinson chip at pupman.com
Thu Apr 2 20:18:50 MDT 2009

I probably didn't explain it well enough, but I *do* have things set up so
that I can ssh over without requiring a password.  The requirement for the
password is when I have to launch a separate sshd that allows root login.

The reason for root login is so that I can access the entire file system
since I want to back it up.

On point two, I left off that I could set things up to use no password in
the sudoers file but then the problem is that a regular account that could
start its own ssh could be a security hole.

On Thu, 2 Apr 2009, Paul E Condon wrote:

> On 2009-04-02_13:27:40, Chip Atkinson wrote:
> > Greetings all,
> > 
> > I'm trying to figure out the best way to do an rsync based remote backup.
> > The final hurdle is how to avoid having my password in the backup script.
> > 
> > I have sshd configured on the remote host to not allow root logins so I
> > set up an ssh tunnel on my local host to go through another port. 
> > 
> > On the remote host, I start an sshd with a different sshd_config that
> > allows root logins.  This sshd listens on a different port that is not
> > open on the firewall.
> > 
> > The only problem is that I need to sudo /usr/sbin/sshd.
> > 
> > The problem arises when doing the sudo.  I came up with a number of
> > solutions but don't know which is best so I thought I'd ask the group.
> > 1) Password appears in backup script and is sent to sudo command
> > 2) edit /etc/sudoers on remote system to allow the remote user to launch
> > sshd
> > 3) Put the password on a CD and arrange the external CD player so that the
> > CD falls out after the pw is read.
> > 4) USB stick, but that's no different than reading a local file really
> > 
> > I'd like to run nightly backups so #3 is not quite ideal.
> > 
> > Are there other solutions to my problem that I don't know about or haven't
> > thought of?
> > 
> > Thanks in advance.
> > 
> I'm puzzled by this. Isn't passwordless login what public key
> encription is for?  I think I have it working on a couple of my
> computers. I'm sure there are no passwords in my backup scripts. What
> is keeping you from storing the proper public key in the machine into
> which to login?
> -- 
> Paul E Condon           
> pecondon at mesanetworks.net
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug

More information about the LUG mailing list