RSYNC advice needed
This is a discussion on RSYNC advice needed within the Linux Security forums, part of the System Security and Security Related category; Question: I want to write a simple rsync script that syncronizes two directories on two different systems across the internet ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-08-2005
|
|||
|
|||
RSYNC advice needed
Question: I want to write a simple rsync script that syncronizes two
directories on two different systems across the internet via SSH. When writing the script and placing credentials in the script so I am not prompted for user name and password info, what is the best way to secure a file like this? Is there a way to have this file "encrypted" then decrypted during the cron job to supply credentials? Any protection for that brief moment that file is decrpyted? If I am off track please get me back on track. Thoughts, opinions, links, and example scripts are much welcomed! 
|
|
03-08-2005
|
|||
|
|||
|
Re: RSYNC advice needed
leggo <leggo@piecemail.net> wrote:
> Question: I want to write a simple rsync script that syncronizes two > directories on two different systems across the internet via SSH. > > When writing the script and placing credentials in the script so I am > not prompted for user name and password info, what is the best way to > secure a file like this? > > Is there a way to have this file "encrypted" then decrypted during the > cron job to supply credentials? Any protection for that brief moment > that file is decrpyted? If I am off track please get me back on > track. > > Thoughts, opinions, links, and example scripts are much welcomed! Ssh doesn't allow you to give passphrases and so on on the command line, so you'll have some trouble getting this to work (it's been done, it's just not trivial). Encrypting the file doesn't help much - after all, you'll not be able to supply a password for the encryption in a way that is more secure. As to rsync, I know very little of that. You might want to establish a permanent ssh connection (manually, once per boot), and then 'tack on' more sessions. I've never tried it, but it should work. See ssh_config(5), under ControlMaster. This would still give root access to the other machine, but using a privilege separation user this should be quite possible. (You'll want something like ssh -axF /path/to/new/config/file.) Joachim
|
|
03-08-2005
|
|||
|
|||
|
Re: RSYNC advice needed
leggo wrote:
> Question: I want to write a simple rsync script that syncronizes two > directories on two different systems across the internet via SSH. > > When writing the script and placing credentials in the script so I am > not prompted for user name and password info, what is the best way to > secure a file like this? > > Is there a way to have this file "encrypted" then decrypted during the > cron job to supply credentials? Any protection for that brief moment > that file is decrpyted? If I am off track please get me back on > track. > > Thoughts, opinions, links, and example scripts are much welcomed! > > > The best way is to not use a password at all. Enable SSH logins via recognised keys. Voila! secure logins without passwords. Me.
|
|
03-08-2005
|
|||
|
|||
|
Re: RSYNC advice needed
leggo wrote:
> Question: I want to write a simple rsync script that syncronizes two > directories on two different systems across the internet via SSH. > > When writing the script and placing credentials in the script so I am > not prompted for user name and password info, what is the best way to > secure a file like this? > > Is there a way to have this file "encrypted" then decrypted during the > cron job to supply credentials? Any protection for that brief moment > that file is decrpyted? If I am off track please get me back on > track. > > Thoughts, opinions, links, and example scripts are much welcomed! Use RSA authentication. On the one you are initiating the SSH connection from do: $ ssh-keygen -t rsa and accept the default options. Then append the contents of ~/.ssh/id_rsa.pub to the ~/.ssh/authorized_hosts file on the other computer. You should (depending on what the default settings for ssh are on your distro) be able to ssh across without giving a password. HTH Mark Atherton
|
|
03-08-2005
|
|||
|
|||
|
Re: RSYNC advice needed
Joachim Schipper spilled the following:
> leggo <leggo@piecemail.net> wrote: >> >> When writing the script and placing credentials in the script so I am >> not prompted for user name and password info, what is the best way to >> secure a file like this? >> > > Encrypting the file doesn't help much - after all, you'll not be able to > supply a password for the encryption in a way that is more secure. > man ssh-agent (You'll need to leave a session open on on one end) The best solution would be to use a keypair. C.
|
|
03-09-2005
|
|||
|
|||
|
Re: RSYNC advice needed
On 08 Mar 2005 17:17:11 GMT, Joachim Schipper wrote:
> leggo <leggo@piecemail.net> wrote: >> Question: I want to write a simple rsync script that syncronizes two >> directories on two different systems across the internet via SSH. >> >> When writing the script and placing credentials in the script so I am >> not prompted for user name and password info, what is the best way to >> secure a file like this? >> >> Is there a way to have this file "encrypted" then decrypted during the >> cron job to supply credentials? Any protection for that brief moment >> that file is decrpyted? If I am off track please get me back on >> track. >> >> Thoughts, opinions, links, and example scripts are much welcomed! > > Ssh doesn't allow you to give passphrases and so on on the command line, > so you'll have some trouble getting this to work (it's been done, it's > just not trivial). I `expect` there's a way. But - agreed - not A Good Idea. Jonesy -- | Marvin L Jones | jonz | W3DHJ | linux | Gunnison, Colorado | @ | Jonesy | OS/2 __ | 7,703' -- 2,345m | config.com | DM68mn SK
|
|
03-09-2005
|
|||
|
|||
|
Re: RSYNC advice needed
On Tue, 08 Mar 2005 11:49:01 -0500, leggo thoughtfully wrote:
> Question: I want to write a simple rsync script that syncronizes two > directories on two different systems across the internet via SSH. > > When writing the script and placing credentials in the script so I am not > prompted for user name and password info, what is the best way to secure a > file like this? > > Is there a way to have this file "encrypted" then decrypted during the > cron job to supply credentials? Any protection for that brief moment that > file is decrpyted? If I am off track please get me back on track. > > Thoughts, opinions, links, and example scripts are much welcomed! Yep, I use a simple rsync script every other night or so to synchronize my Pan folders between machines. I started with this article "Using Rsync and SSH" Keys, Validating, and Automation http://www.jdmz.net/ssh/ The key was keygen (DSA or RSA) on PC B and I used scp to copy it to PC A and move it to the appropriate directory. I just use the script on PC B to sync A to B then B to A in the same script. Careful with rsync when using it against directories as any change in a directory updates the directories timestamp, timing is everything with rsync. Also use the "--dry-run" feature to make sure rsync is doing what you think it's doing. man rsync Others have mentioned "Unison" as the latest greatest file synch for nix, most notable for two-way sync. http://www.cis.upenn.edu/~bcpierce/unison/
|
Linear Mode
