Re: Remote backup using GNU tar doesn't work

[Colin S. Miller]

Saurabh Barve wrote:
> Colin S. Miller wrote:
>
> > It looks like you have set up a ssh keypair (ssh-keygen).
> > If you set the key's password to the empty string,
> > you won't be prompted for a password.
>
>
>
> Yes. That is correct; that is what I have done. I think the empty 
> passphrase is too much of a risk.
>
>
> > If this is too much for a security risk, you can set up a
> > 'tar' user on the remote machine, and use sudo to run tar.
> > You then set up a passwordless keypair for the 'tar' user.
>
>
>
> Hmmm. I'll try doing that. Is there more documentation on this 
> somewhere? I want to be able to back up all my file systems. A normal 
> user won't have all the permissions on them. Plus, how could I prevent 
> this account from being exploited due to its passwordless nature?
>
> Thanks,
> Saurabh


Saurabh,

First of all,
is the prompted password for
1) the outer shh, into machine B

or
2)
for the ssh session tar creates to access the tape
on machine A?


In the case of (1),
then sudo is probably the way to proceed.
try
man 8 sudo
and
man 5 sudoers



in the case of (2)
create an new account on machine 'A', called 'tape'.
Make it a member of the 'tape' group, and add full
control of /dev/nst0 to this group.

tar should be able to use the group by using
tar -b 512 --rsh-command=/usr/bin/ssh -tvf tape@System A:/dev/nst0



As for ssh security, the key password is used to protect the key;
Unless someone gets a hold of the key they can't log in by using the key's
password.
I can't see any way in man 5 ssh_config to restrict the command the ssh runs
when the user logs in.


HTH,
Colin S. Miller




--
Replace the obvious in my email address with the first three letters of the 
hostname to reply.