RE: [suse-security] automatic backups over ssh/scp
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Use public key authentication as opposed to hard coding the username and password. HTH - -----Original Message----- From: Lukas Feiler [mailto:lukas.feiler@endlos.at] Sent: Tuesday, July 31, 2001 8:35 AM To: suse-security@suse.com Subject: [suse-security] automatic backups over ssh/scp I want to do the following: backup all my sensitive date from my main server, pack it into one file and then get it transfered to my backup server. That's fine but my problem is that those two machines aren't in the same local network. So if I do not encrypt my data it would be (more or less) visible to everybody on the net (who has some hacking knowledge). But as I said this data is sensible (passwords, creditcards, ...)! So I thought of ssh or scp BUT how to automate this process of backing up? I would have to specify user AND password in my backup-script. How do specify a password for ssh / scp in a script?? Plese Help! Luke - -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use http://www.pgp.com iQA/AwUBO2ank/fthvTDkNu3EQKWWgCggExK9y2TjSrQkN1d0RKN3NoTVucAnRAb BzjzlOPPbqo/JdMqZixzVCTI =waJ0 -----END PGP SIGNATURE-----
Hi,
Use public key authentication as opposed to hard coding the username and password.
Authorization through .shosts or .ssh/authorized_keys should work fine (man ssh). But using an RSAkey without password isn't more secure than using a stored plaintext-password. ;-) Regards, Holger ----------------------------------------------------------------------- Holger van Lengerich paderLinx - Neue Informationsmedien GmbH Diplom-Informatiker Cheruskerstraße 2b, 33102 Paderborn mailto:hvl@paderlinx.de Fon: +49 5251 8994 - 16 Fax: -20 -----------------------------------------------------------------------
On Tue, Jul 31, 2001 at 02:57:21PM +0200, Holger van Lengerich wrote:
Hi,
Use public key authentication as opposed to hard coding the username and password.
Authorization through .shosts or .ssh/authorized_keys should work fine (man ssh). But using an RSAkey without password isn't more secure than using a stored plaintext-password. ;-)
Wouldn't it make sense to have an ssh-agent running, knowing the identity that the backup script needs to log in to the remote machine? This looks like an improvement to me over passphrase-less keys, but I don't know if that again has its own risks. Peter -- Peter Poeml poeml at suse.de ------------------------------------------------------------------------------- VFS: Busy inodes after unmount. Self-destruct in 5 seconds. Have a nice day...
At 13:40 1-8-2001, you wrote:
On Tue, Jul 31, 2001 at 02:57:21PM +0200, Holger van Lengerich wrote:
Hi,
Use public key authentication as opposed to hard coding the username and password.
Authorization through .shosts or .ssh/authorized_keys should work fine (man ssh). But using an RSAkey without password isn't more secure than using a stored plaintext-password. ;-)
Maybee it's my ignorance .. but wouldn't it be easier to backup the files into a password-protected directory and downloading it from there over ssl / https ?? Then u would keep ur server secure and the backup-machine can be protected all u want as long as it's able to download the file with a script. All u would need to do then is make sure both machines are secured & nobody can read the "client" script wich knows the passwd. J
Hi, Peter Poeml wrote:
Wouldn't it make sense to have an ssh-agent running,
Where is the benefit for security? The plaintext public key resides in memory, where any application can query it through the agent-protocol. And if you accidentally turn agent-forwarding on, you are spreading your credentials to every host you "ssh" to. ------- Checker wrote:
wouldn't it be easier to backup the files into a password-protected directory and downloading it from there over ssl / https ??
When you have to install a web-server with SSL: It won't be easier. If you have one already: May be... Regards, Holger ----------------------------------------------------------------------- Holger van Lengerich paderLinx - Neue Informationsmedien GmbH Diplom-Informatiker Cheruskerstraße 2b, 33102 Paderborn mailto:hvl@paderlinx.de Fon: +49 5251 8994 - 16 Fax: -20 -----------------------------------------------------------------------
participants (4)
-
Checker -
Holger van Lengerich -
James Wilkus -
Peter Poeml