Re: passwordless SSH

To: debian-user@lists.debian.org
Subject: Re: passwordless SSH
From: David Wright <deblis@lionunicorn.co.uk>
Date: Thu, 3 Jun 2021 16:15:10 -0500
Message-id: <[🔎] 20210603211510.GB27592@axis.corp>
Reply-to: debian-user@lists.debian.org
In-reply-to: <d4b90783-4a8c-761f-d719-a710243b1773@gmail.com>
References: <c37cc14f-bd7e-30df-49f1-ffbe3f3039eb@gmail.com> <d4b90783-4a8c-761f-d719-a710243b1773@gmail.com>

On Sat 29 May 2021 at 18:25:50 (-0400), Bob Weber wrote:

> Now follow the instructions at:
> 
> https://linuxize.com/post/how-to-setup-passwordless-ssh-login/
> 
> You will need to follow those instructions for each linux server you
> want to backup.  The .ssh directory will be under the directory listed
> in the passwd file (/var/lib/backuppc).? DO NOT USE A PASSWORD TO
> create the key pair files! They should go into the
> /var/lib/backuppc/.ssh directory (only do this ONCE!).  In step 03.
> the username should be root@ip-address (you will need root access on
> that machine to backup all files from the backuppc user on the
> backuppc server).  In step 04 you should be able to "ssh
> root@ip-address" without a password.

I do this as a matter of course when I set up my machines …

> THESE COMMANDS ARE RUN ON EACH SERVER TO BE BACKED UP.

… (not the backuppc stuff, but just the passwordless login) …

> If yyou can't "ssh root@ip-address" without a password you may also need the line
> 
> "PermitRootLogin yes"
> 
> in the /etc/ssh/sshd_config file on each server to be backed up.

I avoid this wrinkle with a trick that's especially simple when it's
done first thing after installation (but it's easy at any time).

On machine A:

  # ssh-copy-id -i ~/.ssh/id_rsa.pub <sysadminuser>@hostB

where the sysadminuser¹ is as yet unconfigured for passwordless
login by ssh. On machine B, as sysadminuser:

  $ /bin/su -
  # mv -i /home/<sysadminuser>/.ssh/authorized_keys /root/.ssh/
  # chown 0.0 /root/.ssh/authorized_keys

If sysadminuser already had some keys in authorized_keys,
then root will need to edit the key from the last line of
/home/<sysadminuser>/.ssh/authorized_keys rather than just
moving the file (and make sure you don't leave behind a
backup in /home/<sysadminuser>/.ssh/authorized_keys~).

Alternatively, you can move sysadminuser's authorized_keys
out of the way while you type the lines shown above, and then
move it back. (Stay logged in to sysadminuser while you do this.)

> If you want to you can follow the instructions at "Disabling SSH
> Password Authentication".  Be very careful to follow the instructions
> closely.  These are not needed to get backuppc running!  You will need
> to be able to sudo into root from an unprivileged user to get root
> access so be VERY careful to follow the instructions.

¹ I'm assuming root and sysadminuser are the same person, and others
  don't (yet) have access to the machine.

Cheers,
David.

Reply to:

Follow-Ups:
- Re: passwordless SSH
  - From: Frank Pikelner <frank.pikelner@gmail.com>

Prev by Date: Re: Unexplained freezes and crashes, nothing in /var/log/messages
Next by Date: Re: passwordless SSH
Previous by thread: Re: rtlwifi/rtl8723befw_36.bin , rtlwifi/rtl8723befw.bin
Next by thread: Re: passwordless SSH
Index(es):
- Date
- Thread