Mailinglist Archive: opensuse-security (511 mails)

< Previous Next >
Re: [suse-security] automatic backups over ssh/scp
  • From: Rob Simmons <rsimmons@xxxxxxxx>
  • Date: Mon, 6 Aug 2001 13:22:55 -0400 (EDT)
  • Message-id: <20010806132111.L60926-100000@xxxxxxxxxxxxx>
Hash: RIPEMD160

Have you looked into using amanda? It supports kerberos. Or, you can use
something like stunnel, or ssh to tunnel the traffic from amanda.

BTW: The orielly book has a chapter devoted to amanda.

Robert Simmons
Systems Administrator

On Mon, 6 Aug 2001, Maarten J H van den Berg wrote:

> On Tuesday 31 July 2001 14:35, Lukas Feiler wrote:
> [sorry for my late reply]
> > I want to do the following:
> > backup all my sensitive date from my main server, pack it into one file
> > and then get it transfered to my backup server.
> >
> > That's fine but my problem is that those two machines aren't in the
> > same local network. So if I do not encrypt my data it would be (more or
> > less) visible to everybody on the net (who has some hacking knowledge).
> > But as I said this data is sensible (passwords, creditcards, ...)! So I
> > thought of ssh or scp BUT how to automate this process of backing up? I
> > would have to specify user AND password in my backup-script. How do
> > specify a password for ssh / scp in a script??
> Instead, the best (and almost completely secure in every aspect) is to
> use an RSA certificate, and put the command, client-IP etc. which the
> client uses inside the authorized_keys file on the server: That will
> make sure that when using that specific certificate, the client is FORCED
> to run EXACTLY the command specified. Thus, even if the clientsystem gets
> fully compromised, the backupserver remains safe from the attacker.
> You can choose to use ssh-agent, or even leave the passphrase blank, as
> little harm can be done anyway. Worst case would be overwriting the
> backup with an empty / corrupt one...
> There is documentation with ssh how this enforcing works exactly, read it
> well because it isn't trivial to setup; you have to have the commands
> exactly right. Once it works however you have a secure backup connection,
> without establishing an (unwanted) trust- relationship.
> I've done this myself. Just follow the docs, run sshd in debug level to
> find the necessary commandstring, and you're fine.
> I lost the bookmark to the site where I initially read those docs... :-(
> But google will help you. The O' Reilly book has some info too.
> Good luck,
> Maarten
> --
> brick (brik) n. (4) pl. Another item that can be used to crash windows.
> Maarten J. H. van den Berg ~~//~~ network administrator
> van Boetzelaer van Bemmel - Amsterdam - The Netherlands
> T+31204233288 F+31204233286 G+31651994273
> --
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see


< Previous Next >
List Navigation