rsync over ssh and passwords

Vernon A. Fort vfort at jobsoft.com
Wed Feb 13 15:50:53 EST 2002 

Frank,
  Are you asking about password or passphrase.  If password then yes, you want to avoid this.  If passphrase, I think its better to have a key-gen without a passphrase (for automated scripts) otherwise if you will need to 'pass' the passphrase to the ssh-agent to established a connection.  There are ways to limit security risks with non-passphrase ssh keys:

	1.  Only allow passphrase authentication to the receiving server.  This means you have a public/private key pair (public on the receiving end).
	2.  With a combination of tcpwappers and iptables.
	3.  Re-create the key-pair every other month.

  As I understand it, a hacker would need to get the private key from the source host inorder to connect if item 1 is true.  If you pass the passphrase to the ssh-agent during the script, then a plaintext passphrase must exist in a file on the system so if a hacker does compromise the server, they have access to the remote host either way.

  I have several scripts running on remote server doing this very thing with passphrase-less keys.  The server they connect to only allows passphrase authentiction so inorder to connect, you must have a public key on the server.  Its works very well for me, never any security breaches....


Vernon Fort

-----Original Message-----
From: Frank Perugini [mailto:frankp at web-worx.com]
Sent: Tuesday, February 12, 2002 6:42 PM
To: rsync at lists.samba.org
Subject: rsync over ssh and passwords


Hello everyone,

I am trying to write a wrapper around rsync to do some automated file
sync-ing between two servers. I am using ssh as the tranport. How can I
avoid the password prompt for ssh?

I think I can configure ssh to not require passwords, but this would expose
the obvious security risk.What are other users doing to get by this? Is
there some tricks I can do in scripting that would allow me to keep the
password in place and pass it to ssh to force it to continue?

I want to keep this transfer as secure as possible.

I'm sure this is a common thing to do. I just can't figure it out.

Thanks,

-Frank

More information about the rsync mailing list