rsync over ssh and passwords
Vernon A. Fort
vfort at jobsoft.com
Wed Feb 13 15:50:53 EST 2002
Are you asking about password or passphrase. If password then yes, you want to avoid this. If passphrase, I think its better to have a key-gen without a passphrase (for automated scripts) otherwise if you will need to 'pass' the passphrase to the ssh-agent to established a connection. There are ways to limit security risks with non-passphrase ssh keys:
1. Only allow passphrase authentication to the receiving server. This means you have a public/private key pair (public on the receiving end).
2. With a combination of tcpwappers and iptables.
3. Re-create the key-pair every other month.
As I understand it, a hacker would need to get the private key from the source host inorder to connect if item 1 is true. If you pass the passphrase to the ssh-agent during the script, then a plaintext passphrase must exist in a file on the system so if a hacker does compromise the server, they have access to the remote host either way.
I have several scripts running on remote server doing this very thing with passphrase-less keys. The server they connect to only allows passphrase authentiction so inorder to connect, you must have a public key on the server. Its works very well for me, never any security breaches....
From: Frank Perugini [mailto:frankp at web-worx.com]
Sent: Tuesday, February 12, 2002 6:42 PM
To: rsync at lists.samba.org
Subject: rsync over ssh and passwords
I am trying to write a wrapper around rsync to do some automated file
sync-ing between two servers. I am using ssh as the tranport. How can I
avoid the password prompt for ssh?
I think I can configure ssh to not require passwords, but this would expose
the obvious security risk.What are other users doing to get by this? Is
there some tricks I can do in scripting that would allow me to keep the
password in place and pass it to ssh to force it to continue?
I want to keep this transfer as secure as possible.
I'm sure this is a common thing to do. I just can't figure it out.
More information about the rsync