Re: Best way to duplicate HDs--talk more about rsync+ssh system

[Jeff Waugh <jdub@perkypants.org>]

<quote who="Patrick Hsieh">

> OK. My problem is, if I use rsync+ssh with blank passphrase among servers
> to automate rsync+ssh backup procedure without password prompt, then the
> cracker will not need to send any password as well as passphrase when ssh
> login onto another server, right?

No, password and rsa/dsa authentication are different authentication
mechanisms.

> Is there a good way to automate rsync+ssh procedure without
> password/passphrase prompt, while password/passphrase is still requierd
> when someone attempts to ssh login?

1) Use a minimally-privileged account for the rsync process, disable the
password on this account, so it cannot be used to login.

2) Generate a passphrase-less ssh key with ssh_keygen.

3) Add this to authorized_keys for the above account, specifying the
command that logins with this key are allowed to run. See command="" in
sshd(1).

Thus, no one can actually log in with the account normally, you can only
connect with the rsa/dsa key, and you can only run a particular process.

ssh-agent doesn't really help you in this instance, it's generally used to
provide single passphrase authentication for a user's session. (I use it to
log in to the ~30-40 machines I have my public key on, without typing
passwords every five minutes.)

- Jeff

-- 
             "jwz? no way man, he's my idle" - James Wilkinson