[CrackMonkey] I don't want to get off on a rant but

Monkey Master monkeymaster at crackmonkey.org
Wed Jan 3 16:28:52 PST 2001 

	Long lines follow:

begin  Rick Moen Lives Three Hours from Nowhere quotation:
> I'm still a little wiped out, today.  Would you mind elaborating a
> bit on that?  Thanks.

okay.  Well, let's say for example that you wanted to be able to run a
nightly rsync job to a backup server in another time zone.  You need
to be able to run it unattended, from cron.  YOu also need to run it
as root, so that you can preserve uids and suchforth.

	First step:  make an ssh key that has no passphrase.  This is
easy.  Just hit return when it asks you for a passphrase.  It'll
generate public and private keys, but the private key is the *actual
secret* used by the client.  Ordinarily the private key is something
which, when hashed somehow with the passphrase, generates the
client-side secret in s00p3r s33kr1t protected core.

	Second step:  Put the private key in someplace like
/root/.ssh/backup.hostname.identity and head on over to the remote
machine.

	Third step:  On your friendly box of the future (or past, as
the zone may be), put the identity.pub that was generated in
/root/.ssh/authorized_keys.  Also make sure that root logins are set
to nopwd rather than no.

	Fourth step: by hand, run something like
rsync -azxS -e ssh --stats --partial --delete /path/to/important/stuff/ remote-box.someplace-else.ca:/usr/local/var/backup/myass/

	Fifth step: check in the auth.log (or whatever ssh logs to) on
the Canuck box.  You'll see a line like:
23:42:29.213.321.23: UNIMPORTANT LOG MESSAGE: ssh running as root the blahblahblah "rsync --server -logDtprxSz --delete --partial .  /usr/local/var/backup/myass/"

	Sixth step: now that you have the ability to run the rsync,
you need to restrict that key to just your host and just that command.


From="reverse.lookup.mydomain.tld",command="rsync --server -logDtprxSz --delete --partial . /usr/local/var/backup/myass/",no-port-forwarding,no-X11-forwarding,no-agent-forwarding 1024 35 321409218374093218740921865032196GARGARGRGARGRAAGRAGRAGAGRAGAGARGAGAGRAGRAGRAGRAGRAGRAGRAGRAGRAGRAGRAGRAGRAGRGRAGRAGRAGRAGRAGRAGRAGRAGRAGRAGRAGRAGRGRAGRAGRAGRAGRAGRAGRAGRAGRAGRAGRAGRAGRAGR9832170921856243432150643216432109584521020931576432061294360321496504321650921609214360921029810678383849283472401235948362 root at zork 

Any number of comma-separated options are allowed before a public key
in an authorized_keys file.  This lists a particularly paranoid set.
It only allows you in if you reverse lookup to
reverse.lookup.mydomain.tld, and it will ONLY run the rsync
--server... command.  No matter WHAT command you specify, it will
IGNORE it and run this rsync command.

	Seventh step:  Create a script like
/root/bin/backup-to-canuck-server and put the following in:

#!/bin/bash
ssh-add /root/.ssh/backup.hostname.identity &> /dev/null
rsync -azxS -e ssh --stats --partial --delete /path/to/important/stuff/ remote-box.someplace-else.ca:/usr/local/var/backup/myass/

then, in /etc/cron.daily/canuck-backup put:

#!/bin/sh
/usr/bin/ssh-agent /root/bin/backup-to-canuck-server

	



	Now, I will happily entertain any questions longer than "Huh?"

-- 
You are not entitled to your opinions.
 
	01234567 <- The amazing indent-o-meter!
        ^	    Matt McIrvin: the Nikola Tesla of tab damage.

More information about the Crackmonkey mailing list