-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Have you looked into using amanda? It supports kerberos. Or, you can use something like stunnel, or ssh to tunnel the traffic from amanda. http://www.amanda.org BTW: The orielly book has a chapter devoted to amanda. Robert Simmons Systems Administrator http://www.wlcg.com/ On Mon, 6 Aug 2001, Maarten J H van den Berg wrote:
On Tuesday 31 July 2001 14:35, Lukas Feiler wrote:
[sorry for my late reply]
I want to do the following: backup all my sensitive date from my main server, pack it into one file and then get it transfered to my backup server.
That's fine but my problem is that those two machines aren't in the same local network. So if I do not encrypt my data it would be (more or less) visible to everybody on the net (who has some hacking knowledge). But as I said this data is sensible (passwords, creditcards, ...)! So I thought of ssh or scp BUT how to automate this process of backing up? I would have to specify user AND password in my backup-script. How do specify a password for ssh / scp in a script??
Instead, the best (and almost completely secure in every aspect) is to use an RSA certificate, and put the command, client-IP etc. which the client uses inside the authorized_keys file on the server: That will make sure that when using that specific certificate, the client is FORCED to run EXACTLY the command specified. Thus, even if the clientsystem gets fully compromised, the backupserver remains safe from the attacker. You can choose to use ssh-agent, or even leave the passphrase blank, as little harm can be done anyway. Worst case would be overwriting the backup with an empty / corrupt one...
There is documentation with ssh how this enforcing works exactly, read it well because it isn't trivial to setup; you have to have the commands exactly right. Once it works however you have a secure backup connection, without establishing an (unwanted) trust- relationship. I've done this myself. Just follow the docs, run sshd in debug level to find the necessary commandstring, and you're fine.
I lost the bookmark to the site where I initially read those docs... :-( But google will help you. The O' Reilly book has some info too.
Good luck, Maarten
-- brick (brik) n. (4) pl. Another item that can be used to crash windows.
Maarten J. H. van den Berg ~~//~~ network administrator van Boetzelaer van Bemmel - Amsterdam - The Netherlands http://vbvb.nl T+31204233288 F+31204233286 G+31651994273
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7btJ0v8Bofna59hYRAxbMAKCUYKB2ybrDJ4YJc3N0f1yn9LWzOwCgoglX 2pNvlup5q9b4HA2eIRXhciA= =fA5y -----END PGP SIGNATURE-----