[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: passwordless SSH



It is much better to use SSH certificates, not a great deal of extra work, but well worth it. Simplifies management and works well for automation. 

Best,

Frank

On Thu, Jun 3, 2021 at 5:15 PM David Wright <deblis@lionunicorn.co.uk> wrote:
On Sat 29 May 2021 at 18:25:50 (-0400), Bob Weber wrote:

> Now follow the instructions at:
>
> https://linuxize.com/post/how-to-setup-passwordless-ssh-login/
>
> You will need to follow those instructions for each linux server you
> want to backup.  The .ssh directory will be under the directory listed
> in the passwd file (/var/lib/backuppc).? DO NOT USE A PASSWORD TO
> create the key pair files! They should go into the
> /var/lib/backuppc/.ssh directory (only do this ONCE!).  In step 03.
> the username should be root@ip-address (you will need root access on
> that machine to backup all files from the backuppc user on the
> backuppc server).  In step 04 you should be able to "ssh
> root@ip-address" without a password.

I do this as a matter of course when I set up my machines …

> THESE COMMANDS ARE RUN ON EACH SERVER TO BE BACKED UP.

… (not the backuppc stuff, but just the passwordless login) …

> If yyou can't "ssh root@ip-address" without a password you may also need the line
>
> "PermitRootLogin yes"
>
> in the /etc/ssh/sshd_config file on each server to be backed up.

I avoid this wrinkle with a trick that's especially simple when it's
done first thing after installation (but it's easy at any time).

On machine A:

  # ssh-copy-id -i ~/.ssh/id_rsa.pub <sysadminuser>@hostB

where the sysadminuser¹ is as yet unconfigured for passwordless
login by ssh. On machine B, as sysadminuser:

  $ /bin/su -
  # mv -i /home/<sysadminuser>/.ssh/authorized_keys /root/.ssh/
  # chown 0.0 /root/.ssh/authorized_keys

If sysadminuser already had some keys in authorized_keys,
then root will need to edit the key from the last line of
/home/<sysadminuser>/.ssh/authorized_keys rather than just
moving the file (and make sure you don't leave behind a
backup in /home/<sysadminuser>/.ssh/authorized_keys~).

Alternatively, you can move sysadminuser's authorized_keys
out of the way while you type the lines shown above, and then
move it back. (Stay logged in to sysadminuser while you do this.)

> If you want to you can follow the instructions at "Disabling SSH
> Password Authentication".  Be very careful to follow the instructions
> closely.  These are not needed to get backuppc running!  You will need
> to be able to sudo into root from an unprivileged user to get root
> access so be VERY careful to follow the instructions.

¹ I'm assuming root and sysadminuser are the same person, and others
  don't (yet) have access to the machine.

Cheers,
David.


Reply to: