SSH/SCP without a password

Here are some links:

• Rimuhosting’s Automated, Secure Backups via Rsync: rimuhosting.com/…yncbackup.jsp
• Change a Passphrase With ssh-keygen command: www.cyberciti.biz/…-passphrase
• Linux to Linux Key Based SSH: element14.wordpress.com/…d-ssh
• ssh-agent - Linux man page: www.cl.cam.ac.uk/…-bin/manpage
• ssh-copy-id - Linux man page: www.opensourcemanuals.org/…-id
• The Ultimate SSH Security Tutorial: tuxtraining.com/…rity-tutorial
• Automate backups on Linux (IBM tutorial): www.ibm.com/…backup/index.html
• Security tips: www.linuxsecurity.com/…/133312

Steps to create and distribute RSA key

#generate the keys for whomever is logged on (use a passphrase)
ssh-keygen -t rsa
#copy public key to target machine
ssh-copy-id -i ~/.ssh/id_rsa.pub root@test.cfaw.info
#make sure that the following permissions are in place at both ends:
chmod 700 .ssh
chmod 600 .ssh/*
chmod +r  .ssh/*.pub

Strategies for Key Automation

1. Use -i option in rsync to load key
   The key is dynamically loaded via the -e “ssh -i filename ...” mechanism. Simple and clean.
   See Troy at: troy.jdmz.net/rsync/index.html
   Note that Troy has the best security solution for rsync at the receiving end.
2. Use a .ssh/config file
   All the information to make a connection is stored in the .ssh/config file, including the port number for ssh. Very convenient and easy to manage.
   See Dean at: arctic.org/…up/unattended.html
3. Use ssh-agent and ssh-add to load the key
   A little bit cumbersome as one script has to call another.
   See Rimu at: rimuhosting.com/…yncbackup.jsp
4. Use keychain to manage keys
   This is theoretically the strongest since it enables a passphrase to be used. However, this has to be entered by hand every time the system is rebooted. Also, it needs the keychain script to be installed.
   See IBM at: www.ibm.com/…backup/index.html

Solution

• Concepts
  • The initiator computer must generate keys (e.g. backupk) and a .ssh/config file to link them to the target
  • The target computer must have an account (e.g. backuser) containing .ssh/authorized_keys
  • The public key from the initiator is placed in this .authorized_keys file
  • This is neatly accomplished with the following script:
• create the keys using the create_ssh_keys.txt script below, and test
• install validate-rsync on the server
• modify the authorized_keys on the server so that the entry starts with: from=“xxx.xxx.xxx.xxx”,command=”/backups/validate-rsync”,no-port-forwarding,no-X11-forwarding,no-pty