On Mon, 6 Aug 2001 18:29:27 +0200
Maarten J H van den Berg
On Tuesday 31 July 2001 14:35, Lukas Feiler wrote:
[sorry for my late reply]
I want to do the following: backup all my sensitive date from my main server, pack it into one file and then get it transfered to my backup server.
That's fine but my problem is that those two machines aren't in the same local network. So if I do not encrypt my data it would be (more or less) visible to everybody on the net (who has some hacking knowledge). But as I said this data is sensible (passwords, creditcards, ...)! So I thought of ssh or scp BUT how to automate this process of backing up? I would have to specify user AND password in my backup-script. How do specify a password for ssh / scp in a script??
Instead, the best (and almost completely secure in every aspect) is to use an RSA certificate, and put the command, client-IP etc. which the client uses inside the authorized_keys file on the server: That will make sure that when using that specific certificate, the client is FORCED to run EXACTLY the command specified. Thus, even if the clientsystem gets fully compromised, the backupserver remains safe from the attacker. You can choose to use ssh-agent, or even leave the passphrase blank, as little harm can be done anyway. Worst case would be overwriting the backup with an empty / corrupt one...
There is documentation with ssh how this enforcing works exactly, read it well because it isn't trivial to setup; you have to have the commands exactly right. Once it works however you have a secure backup connection, without establishing an (unwanted) trust- relationship. I've done this myself. Just follow the docs, run sshd in debug level to find the necessary commandstring, and you're fine.
I lost the bookmark to the site where I initially read those docs... :-( But google will help you. The O' Reilly book has some info too.
Good luck, Maarten
-- brick (brik) n. (4) pl. Another item that can be used to crash windows.
Maarten J. H. van den Berg ~~//~~ network administrator van Boetzelaer van Bemmel - Amsterdam - The Netherlands http://vbvb.nl T+31204233288 F+31204233286 G+31651994273
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
I highly recomend that if you are doing any sort of remote file copies that you take a look at rsync instead of scp. -- Viel Spaß Nix - nix@susesecurity.com http://www.susesecurity.com