asking for root password

Matthias Schniedermeyer ms at citd.de
Thu Oct 23 22:05:45 GMT 2008 

On 23.10.2008 14:35, Marc Fromm wrote:
> I will try changing --rsh "ssh -l root" to -e ssh root at .
> 
> On both the old server and the box pulling the backups these 3 files are in the .ssh directory in /root: authorized_keys  id_rsa  id_rsa.pub. Can I assume they are identical files on both systems?

No. In most cases you should have a distinct key-set of every user 
and/or server. You can use the same key-set several times, but it's 
usually not a good idea. And i just realized that i've written b*llshit 
in my first try, because my description assumes that you copied the 
existing key-set from the old to the new server.

The authorized_keys-file contains is a list of public-keys (the contents 
of .pub-files), one per line that are allowed to login with the 
corresponding private-key (the id_rsa or id_dsa). For a password-less 
login you have to make sure that the contents of the .pub-file a given 
source (the backup-server in this case) is contained in the 
authorized_keys of the target-server of the ssh-connection.

So the standard way is to create a key set on the source and then append 
or create the .ssh/authorized_keys with the contents of the .pub-file on 
the target.



> I found an article about creating the above files:
> http://blogs.sun.com/jkini/entry/how_to_scp_scp_and
> 
> To be clear, if I want to recreate the 3 files do I create them on the system running the rsync command and then copy the 3 files to the remote box?
> 
> Thanks
> -----Original Message-----
> From: Matthias Schniedermeyer [mailto:ms at citd.de]
> Sent: Thursday, October 23, 2008 2:25 PM
> To: Marc Fromm
> Cc: rsync at lists.samba.org
> Subject: Re: asking for root password
> 
> On 23.10.2008 13:29, Marc Fromm wrote:
> > We are using rsync to pull backups created on our server.
> > The command below is run as a cronjob and it works great.
> > rsync -avu --rsh "ssh -l root" root at servername:/var/lib/mysql/backups/ /backups/mysql/
> 
> Normaly this should be enough:
> rsync -avu -e ssh root at servername:/var/lib/mysql/backups/ /backups/mysql/
> 
> With a recent rsync even "-e ssh" isn't needed.
> 
> > We have a new server that will replace the old server that rsync pulls backups from.
> > On the system that is running rsync, I switched the servername in the command above to the new server.
> > Rsync is failing to work because it wants the root password for the new server.
> > Rsync does not ask for a password from the old server, even when I manually run the command.
> >
> > I did not set up the rsync routine and thus I don't know if there is a file on the old server that rsync is communicating with to bypass asking for roots password.
> >
> > What is required for rsync to use the above command to pull backups from the new server, and not want root's password entered?
> 
> Most likely the backup-server uses a RSA or DSA key to authenticate.
> 
> On the old server you will find the following file in the home-directory
> of the root-user (/root usually):
> .ssh/authorized_keys
> (in rare cases: .ssh/authorized_keys2)
> 
> The file contains a list of public-keys that are allowed to login witout
> password.
> 
> Just create the directory on the new server and copy the file over.
> If you copy the contents via copy & paste you have to make sure to not
> break the long line(s).
> 
> You also have to make sure that either the permissions of the file and
> every directory up to and including .ssh is only writable by root,
> otherwise the sshd won't use the key file
> (man sshd_config, Keyword: "strictmode").
> 
> The corresponding private-key can be found on your backup-server also in
> .ssh directory of the home-directory of whaterver user starts the
> command . The file is normally called either: id_dsa or id_rsa, if it is
> called "identity" you are using SSHv1 and you should really consider
> generating a new set of keys. The public key is stored in the .pub-file,
> this is the long string you can seen in the authorized_keys-file.
> 
> 
> 
> I suggest you read/google a little bit about ssh-keys, they are one of
> the best inventions since sliced bread. ;-)
> 
> 
> 
> 
> Bis denn
> 
> --
> Real Programmers consider "what you see is what you get" to be just as
> bad a concept in Text Editors as it is in women. No, the Real Programmer
> wants a "you asked for it, you got it" text editor -- complicated,
> cryptic, powerful, unforgiving, dangerous.

-- 




Bis denn

-- 
Real Programmers consider "what you see is what you get" to be just as 
bad a concept in Text Editors as it is in women. No, the Real Programmer
wants a "you asked for it, you got it" text editor -- complicated, 
cryptic, powerful, unforgiving, dangerous.

More information about the rsync mailing list