Here are some links:
IBM good intro:
- http://www.ibm.com/developerworks/library/l-keyc.html
- http://www.ibm.com/developerworks/library/l-keyc2/
- http://www.ibm.com/developerworks/library/l-keyc3/
Passwordless Login with SSH: http://php.8ez.com/drsmall/blog/?p=218
Change a Passphrase With ssh-keygen command: http://www.cyberciti.biz/faq/howto-ssh-changing-passphrase/
Rimuhosting's secure backup howto: http://rimuhosting.com/howto/rsyncbackup.jsp
Linux to Linux Key Based SSH: http://element14.wordpress.com/2008/02/19/linux-to-linux-key-based-ssh/
ssh-agent - Linux man page: http://www.cl.cam.ac.uk/cgi-bin/manpage?ssh-agent
ssh-copy-id - Linux man page: http://www.opensourcemanuals.org/manual/ssh-copy-id/
The Ultimate SSH Security Tutorial: http://tuxtraining.com/2008/05/14/the-ultimate-ssh-security-tutorial/
Automate backups on Linux (IBM tutorial): http://www.ibm.com/developerworks/linux/library/l-backup/index.html
Security tips: http://www.linuxsecurity.com/content/view/133312?rdf
Steps to create and distribute RSA key
#generate the keys for whomever is logged on (use a passphrase)
ssh-keygen -t rsa
#copy public key to target machine
ssh-copy-id -i ~/.ssh/id_rsa.pub root@test.cfaw.info
#make sure that the following permissions are in place at both ends:
chmod 700 .ssh
chmod 600 .ssh/*
chmod +r .ssh/*.pub
Strategies for Key Automation
- Use -i option in rsync to load key
The key is dynamically loaded via the -e "ssh -i filename ..." mechanism. Simple and clean.
See Troy at: http://troy.jdmz.net/rsync/index.html
Note that Troy has the best security solution for rsync at the receiving end.
- Use a .ssh/config file
All the information to make a connection is stored in the .ssh/config file, including the port number for ssh. Very convenient and easy to manage.
See Dean at: http://arctic.org/~dean/rdiff-backup/unattended.html
- Use ssh-agent and ssh-add to load the key
A little bit cumbersome as one script has to call another.
See Rimu at: http://rimuhosting.com/howto/rsyncbackup.jsp
- Use keychain to manage keys
This is theoretically the strongest since it enables a passphrase to be used. However, this has to be entered by hand every time the system is rebooted. Also, it needs the keychain script to be installed.
See IBM at: http://www.ibm.com/developerworks/linux/library/l-backup/index.html
Solution
-create the keys using the create_ssh_keys.sh script below, and test
-install validate-rsync on the server
-modify the authorized_keys on the server so that the entry starts with: from="xxx.xxx.xxx.xxx",command="/backups/validate-rsync",no-port-forwarding,no-X11-forwarding,no-pty
. Website development by Writeup.org