[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Remote backup using GNU tar doesn't work
From: |
Colin S. Miller |
Subject: |
Re: Remote backup using GNU tar doesn't work |
Date: |
Tue, 11 Apr 2006 20:43:27 +0100 |
User-agent: |
Debian Thunderbird 1.0.2 (X11/20051002) |
Saurabh Barve wrote:
Colin S. Miller wrote:
It looks like you have set up a ssh keypair (ssh-keygen).
If you set the key's password to the empty string,
you won't be prompted for a password.
Yes. That is correct; that is what I have done. I think the empty
passphrase is too much of a risk.
If this is too much for a security risk, you can set up a
'tar' user on the remote machine, and use sudo to run tar.
You then set up a passwordless keypair for the 'tar' user.
Hmmm. I'll try doing that. Is there more documentation on this
somewhere? I want to be able to back up all my file systems. A normal
user won't have all the permissions on them. Plus, how could I prevent
this account from being exploited due to its passwordless nature?
Thanks,
Saurabh
Saurabh,
First of all,
is the prompted password for
1) the outer shh, into machine B
or
2)
for the ssh session tar creates to access the tape
on machine A?
In the case of (1),
then sudo is probably the way to proceed.
try
man 8 sudo
and
man 5 sudoers
in the case of (2)
create an new account on machine 'A', called 'tape'.
Make it a member of the 'tape' group, and add full
control of /dev/nst0 to this group.
tar should be able to use the group by using
tar -b 512 --rsh-command=/usr/bin/ssh -tvf tape@System A:/dev/nst0
As for ssh security, the key password is used to protect the key;
Unless someone gets a hold of the key they can't log in by using the key's
password.
I can't see any way in man 5 ssh_config to restrict the command the ssh runs
when the user logs in.
HTH,
Colin S. Miller
--
Replace the obvious in my email address with the first three letters of the
hostname to reply.