Linux secure offsite file copy
|
|
ViolentFlatulence |
Posted on 16-02-2013 22:23
|
Guest Posts: 3 Joined: 11.11.2012 |
This topic came up as a result of the ET server crash without a backup of the config. I use a similar script to the one outlined below to backup my email/web/proxy settings to another Linux computer. If anyone cares I could introduce the command to use openssl to encrypt the file prior to copying. Then you don't even need to trust the person you are giving the file to. You just have to trust you can get a copy of it if needed! How to setup a script environment between two Linux systems CLIENT: root@handyhost:/root# ssh-keygen -b 1024 -t rsa -C comment You will be asked for the filename (I use script_id_rsa). You will also be asked for a passphrase. Just hit enter the 2 times you are asked for it. Example: root@server /root/.ssh ssh-keygen -b 1024 -t rsa -C COMPUTERNAME Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): script_id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in script_id_rsa. Your public key has been saved in script_id_rsa.pub. The key fingerprint is: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx COMPUTERNAME root@server /root/.ssh ls authorized_keys known_hosts script_id_rsa script_id_rsa.pub It is worth noting that if you have run ssh before and connected to the other system successfully, the directory "/$home/.ssh" will already exist. If you want to make sure it is created in the correct place, just run ssh username@hostname and connect successfully before you run the ssh-keygen command. SERVER: Copy the .pub version of the file that was created earlier on the client and copy it to the servers /.ssh/ directory. You will then want to append the file to /$home/.ssh/authorized_keys on the server: cat script_id_rsa.pub >>/$home/.ssh/authorized_keys Notice the 2 >> above! To use the setup: On the client perform the following: root@handyhost:/root# scp -i /root/.ssh/script_id_rsa original_file user@remote:/path/to/destination If things are setup right, the copy will occur without being asked for a password. The contents of the config_backup.sh script are something like: #!/bin/sh export DATEFILE='%Y%m%d%H%M%S' export MYFILE=debian_emailweb$(date +$DATEFILE).tar.gz tar zcvf $MYFILE /root/bin/* /etc/postfix/* /etc/apache2/* /etc/dansguardian/*.conf /etc/squid/*.conf scp -i /root/.ssh/script_id_rsa /root/$MYFILE behandy@behandy.com:/config_backup/debian-squid-dg/$MYFILE rm -f $MYFILE The scp command does the actual copy without asking for a password. Much of this material was taken from "Linux Server Security" O'Reilly Pg 134. "Whether they ever find life there or not, I think Jupiter should be considered an enemy planet." DEEP THOUGHTS - by Jack Handy
|
|
|
denny |
Posted on 19-08-2013 23:51
|
Newbie Posts: 12 Joined: 19.08.2013 |
well, nice one, but... just a few notes. i recommend to use script ssh-copy-id for copying pubkey, it works just fine, even sets permissions afaik. Another thing, it would be great to disable password login for users ( PasswordAuthentication no in /etc/ssh/sshd_config ), just to be secure against password guessing . And use proper quotes in scripts, its good practice... for example rm -f $MYFILE wont work correctly when $MYFILE has space somewhere in middle, but rm "$MYFILE" will. |
|
Jump to Forum: |