Is this possible?

[Red Squirrel]

I want to use a key pair to connect to another server as root, so I can do rsync or even just regular ssh. I rather not enable direct root logon. Is there a way I can connect as another user then su as root? I want to be able to do this programaticly. Basically I want to do automated backups as well as run remote scripts without worrying about permissions.

 

[Nothinman]

Just setup sudo on the remote end to allow a certain user to issue commands as root without a password.

 

[Red Squirrel]

I know this can be done with sudo but how would it be done automatically?

I don't know the command off the top of my head but lets say I want to do this:

rsync -i /keys/server.key [rsync flags] root@server:/data/ [dest]

But instead of going straight as root, go as a user, but still run rsync as root once the authentication takes place.

 

[Ken g6]

http://maestric.com/doc/unix/ubuntu_sudo_without_password

Edit: I misread. Did you want something like:

ssh user@remoteserver sudo rsync -i /keys/server.key [rsync flags] root@localserver:/data/ [dest]

(I haven't used rsync.)

 

[Red Squirrel]

http://maestric.com/doc/unix/ubuntu_sudo_without_password

Edit: I misread. Did you want something like:

ssh user@remoteserver sudo rsync -i /keys/server.key [rsync flags] root@localserver:/data/ [dest]

(I haven't used rsync.)

I think so, as long as I don't have to do anything to that user account giving that user basically root rights, then what's the point right?

What I was thinking of is setup a key pair for root, and a key pair for that user. So the first key pair is used, then the second is used, or something like that. So it would be double.

Or would I be ok to just allow root logon, and use key pair all the time? I could just have a very complicated root password and always use the key pair. If there's a way to disable password authentication then I could even do that, though that is asking for trouble if the key pair breaks for some reason if it's a remote server.

 

[sourceninja]

Wouldn't this work better in reverse. Your server runs scripts as root that ssh/rsync out to move the files off to their backup location?

 

[xSauronx]

I think so, as long as I don't have to do anything to that user account giving that user basically root rights, then what's the point right?

*snip*

Or would I be ok to just allow root logon, and use key pair all the time? I could just have a very complicated root password and always use the key pair. If there's a way to disable password authentication then I could even do that, though that is asking for trouble if the key pair breaks for some reason if it's a remote server.

how many times are you going to ask questions about ssh and other basic linux programs and concepts before you read the documentation yourself? *IF* theres a way to disable password authentication? a decently written ssh howto would have walked you through that already...and reading the man pages or the config file would have as well.

or, hell, you could search for ssh here on the forums and find a howto:
http://forums.anandtech.com/search.php?searchid=70764
http://forums.anandtech.com/showthread.php?t=84640&highlight=ssh

 

[Red Squirrel]

how many times are you going to ask questions about ssh and other basic linux programs and concepts before you read the documentation yourself? *IF* theres a way to disable password authentication? a decently written ssh howto would have walked you through that already...and reading the man pages or the config file would have as well.

or, hell, you could search for ssh here on the forums and find a howto:
http://forums.anandtech.com/search.php?searchid=70764
http://forums.anandtech.com/showthread.php?t=84640&highlight=ssh

Most linux documentation is very cryptic and usually does a poor job at showing something.

 

[Red Squirrel]

Wouldn't this work better in reverse. Your server runs scripts as root that ssh/rsync out to move the files off to their backup location?

Guess that's an option too, I could just have a central backup server/user to store the files. Normally I like to pull and not push but for the program I'm writing it wont really matter as much.

 

[n0cmonkey]

Most linux documentation is very cryptic and usually does a poor job at showing something.

You're probably using OpenSSH, which is luckily primarily worked on by BSD folks. 😉

 

[VinDSL]

You're probably using OpenSSH, which is luckily primarily worked on by BSD folks. 😉

Heh! No joke!!! :sneaky:

 

[Platypus]

RS, here's a simple solution for your problem. Create a central backup server and create a filesystem for it, something like /backup and share this via NFS to your client servers. Be sure to lock down the mounting capabilities within /etc/exports. On the client, mount the NFS filesystem via /etc/fstab so it will persist reboots and set up a cronjob that runs as root to run a shell script containing your rsync commands to sync the target directory to the NFS mount. Then simply back up the central server in any number of ways..

Within /backup you can have any number of directories that are named after each server's hostname and when you mount them on the client side, you can bind to a specific folder, ie /backup/yourhost1.

This alleviates the need to make a new connection to the server each time and eliminates security risks involved with allowing root login. Your idea is convuluted and you're making it more complicated than it needs to be in my opinion.

 

[sourceninja]

Or just install crashplan and set it up to backup to another machine on your network.

 

[Red Squirrel]

RS, here's a simple solution for your problem. Create a central backup server and create a filesystem for it, something like /backup and share this via NFS to your client servers. Be sure to lock down the mounting capabilities within /etc/exports. On the client, mount the NFS filesystem via /etc/fstab so it will persist reboots and set up a cronjob that runs as root to run a shell script containing your rsync commands to sync the target directory to the NFS mount. Then simply back up the central server in any number of ways..

Within /backup you can have any number of directories that are named after each server's hostname and when you mount them on the client side, you can bind to a specific folder, ie /backup/yourhost1.

This alleviates the need to make a new connection to the server each time and eliminates security risks involved with allowing root login. Your idea is convuluted and you're making it more complicated than it needs to be in my opinion.

That could work too, but how do I setup the auto authentication for the auto mounting of the NFS shares, and will this sitting idle eat up bathwith? One of the servers to be backed up is actually remote (online).

 

[Nothinman]

That could work too, but how do I setup the auto authentication for the auto mounting of the NFS shares, and will this sitting idle eat up bathwith? One of the servers to be backed up is actually remote (online).

Authentication is done at access time with NFS just like with any local filesystem. You don't actually log into the server like you do with SMB/CIFS. So you'll also have to tell the NFS server not to "squash" root requests if you want your backup scripts to run as root.

 

[sourceninja]

http://crashplan.com/

 

[Platypus]

Authentication is done at access time with NFS just like with any local filesystem. You don't actually log into the server like you do with SMB/CIFS. So you'll also have to tell the NFS server not to "squash" root requests if you want your backup scripts to run as root.

Yep, exactly.

RS feel free to PM me if you need help.

No to your question about eating up bandwidth also.

 

[Red Squirrel]

http://crashplan.com/

I'm coding an actual backup application, not trying to use one. My app will use rsync and possibly other similar tools, and manage them with a GUI interface.

I'm leaning towards just sticking to keeping root access open, and just have brute force detection. IMO this should have been made a standard feature in SSH. I'll use fail2ban and can probably even make my app manage that too. Basically when done this app will manage pretty much every basic operation of a server. I will keep adding on over time.

Just figured I might be able to add more security to the process but seems more complex then I thought.

 

[Platypus]

Can you explain this differently? I don't know why you'd bother with a GUI interface and why you're resistant to pushing rather than pulling. Is this for an end-user who doesn't know how to use computers perhaps? I'm not trying to be obtuse but it seems like you're reinventing the wheel based on the description and it really doesn't have to be that complex.

 

[Red Squirrel]

Can you explain this differently? I don't know why you'd bother with a GUI interface and why you're resistant to pushing rather than pulling. Is this for an end-user who doesn't know how to use computers perhaps? I'm not trying to be obtuse but it seems like you're reinventing the wheel based on the description and it really doesn't have to be that complex.

Basically it's an app that i'm hoping to make very user friendly and easy to use. Eventually it will set up as a clustered environment, so say you deploy a new server all you need to do is "push" the app to it and it would automate everything. Backups would happen between servers so some would push, some would pull and also have to consider that some servers could be behind firewalls etc... so there would be all sorts of options to decide how the backups take place.

In most cases it would probably be setup as a pull server but still want to be able to push.