Mailinglist Archive: opensuse-security (511 mails)

< Previous Next >
Re: [suse-security] automatic backups over ssh/scp
  • From: Rob Simmons <rsimmons@xxxxxxxx>
  • Date: Mon, 6 Aug 2001 13:22:55 -0400 (EDT)
  • Message-id: <20010806132111.L60926-100000@xxxxxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Have you looked into using amanda? It supports kerberos. Or, you can use
something like stunnel, or ssh to tunnel the traffic from amanda.

http://www.amanda.org

BTW: The orielly book has a chapter devoted to amanda.

Robert Simmons
Systems Administrator
http://www.wlcg.com/

On Mon, 6 Aug 2001, Maarten J H van den Berg wrote:

> On Tuesday 31 July 2001 14:35, Lukas Feiler wrote:
>
> [sorry for my late reply]
>
> > I want to do the following:
> > backup all my sensitive date from my main server, pack it into one file
> > and then get it transfered to my backup server.
> >
> > That's fine but my problem is that those two machines aren't in the
> > same local network. So if I do not encrypt my data it would be (more or
> > less) visible to everybody on the net (who has some hacking knowledge).
> > But as I said this data is sensible (passwords, creditcards, ...)! So I
> > thought of ssh or scp BUT how to automate this process of backing up? I
> > would have to specify user AND password in my backup-script. How do
> > specify a password for ssh / scp in a script??
>
> Instead, the best (and almost completely secure in every aspect) is to
> use an RSA certificate, and put the command, client-IP etc. which the
> client uses inside the authorized_keys file on the server: That will
> make sure that when using that specific certificate, the client is FORCED
> to run EXACTLY the command specified. Thus, even if the clientsystem gets
> fully compromised, the backupserver remains safe from the attacker.
> You can choose to use ssh-agent, or even leave the passphrase blank, as
> little harm can be done anyway. Worst case would be overwriting the
> backup with an empty / corrupt one...
>
> There is documentation with ssh how this enforcing works exactly, read it
> well because it isn't trivial to setup; you have to have the commands
> exactly right. Once it works however you have a secure backup connection,
> without establishing an (unwanted) trust- relationship.
> I've done this myself. Just follow the docs, run sshd in debug level to
> find the necessary commandstring, and you're fine.
>
> I lost the bookmark to the site where I initially read those docs... :-(
> But google will help you. The O' Reilly book has some info too.
>
> Good luck,
> Maarten
>
> --
> brick (brik) n. (4) pl. Another item that can be used to crash windows.
>
> Maarten J. H. van den Berg ~~//~~ network administrator
> van Boetzelaer van Bemmel - Amsterdam - The Netherlands
> http://vbvb.nl T+31204233288 F+31204233286 G+31651994273
>
>
> --
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7btJ0v8Bofna59hYRAxbMAKCUYKB2ybrDJ4YJc3N0f1yn9LWzOwCgoglX
2pNvlup5q9b4HA2eIRXhciA=
=fA5y
-----END PGP SIGNATURE-----



< Previous Next >
List Navigation