Re: Best way to duplicate HDs--talk more about rsync+ssh system
OK. My problem is, if I use rsync+ssh with blank passphrase among
servers to automate rsync+ssh backup procedure without password prompt,
then the cracker will not need to send any password as well as
passphrase when ssh login onto another server, right?
Is there a good way to automate rsync+ssh procedure without
password/passphrase prompt, while password/passphrase is still requierd
when someone attempts to ssh login?
> <quote who="Patrick Hsieh">
>
> > I am sorry I could be kind of off-topic. But I want to know how to
> > cross-site rsync without authentication, say ssh auth.,?
>
> That's the best way.
>
> > I've read some doc. using ssh-keygen to generate key pairs, appending the
> > public keys to ~/.ssh/authorized_hosts on another host to prevent ssh
> > authentication prompt. Is it very risky? Chances are a cracker could
> > compromise one machine and ssh login others without any authentication.
>
> It's not "without authentication" - you're still authenticating, you're
> just using a different means. There's two parts to rsa/dsa authentication
> with ssh; first there's the key, then there's the passphrase.
>
> If a cracker gets your key, that's tough, but they'll need the passphrase to
> authenticate. If you make a key without a passphrase (generally what you'd
> do for scripted rsyncs, etc) then they *only need the key*. So, you should
> keep the data available with passphrase-less keys either read-only or backed
> up, depending on its importance, etc.
>
> - Jeff
>
> --
> "I think we agnostics need a term for a holy war too. I feel all left
> out." - George Lebl
>
>
> --
> To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
--
Patrick Hsieh <pahud@pahud.net>
GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg
Reply to: