Comments on: keychain: Set Up Secure Passwordless SSH Access For Backup Scripts

By: milan

milan — Fri, 11 Feb 2011 05:43:33 +0000

good post .i was wondering,what if i lost password in this case.

By: Halil

Halil — Fri, 14 Jan 2011 20:25:21 +0000

I still receive :
Error:Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password).
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: unexplained error (code 255) at io.c(454) [sender=2.6.9]

By: Philip Hands

Philip Hands — Tue, 19 Oct 2010 05:22:04 +0000

An alternative approach is to lock down passphraseless keys so they do exactly and only what they need, so that an attacker doesn't actually get anything useful even if they do manage to steal the key. The thing about needing to be an uber-hacker to get at the keys in memory is a resort to security through obscurity, which will encourage sloppy thinking about the real issue, which is that you in effect have passwordless keys on the system, so you should make sure that those keys only get to do what you want and nothing more. As shown in the above link, it's possible to lock it down to the point that the keys only open up the tiny crack of read-only access from the right IP address, so an attacker really gets nothing from having such keys. I seriously doubt anyone using this keychain approach will bother with the command= bit in their authorised_keys file, which means that they're giving an attacker much more if there is a break-in. Oh, and you should be setting PermitRootLogin to without-password, or no (rather than yes)

By: nigg belamps

nigg belamps — Fri, 15 Oct 2010 14:06:24 +0000

hahaha root@pee … thats hot

By: Neil Jensen

Neil Jensen — Wed, 30 Sep 2009 04:43:23 +0000

Hi, I have been trying to get rsnapshot to run with keychain under cron for root when logged out.

For me adding
source /root/.keychain/-sh
to cmd_preexec in the rsnapshot.conf did not work
What has finally worked for me which works remotely and locally is:
under cron run a command pointing to shell scripts for hourly daily weekly and monthly rsnapshots

my script is for hourly backups is hourly.sh
#!/bin/bash
ENV=/root/.bashrc
source /root/.keychain/-sh
rsnapshot hourly

the reason why this was needed is because cron for ssh doesn’t enter a shell to perform it’s function, so before rsnapshot begins you must point the process into a shell or you get an annoying and failing error 255 stating rsync couldn’t ssh(or something like that). Then just re comment the cmd_preexec line in the rsnapshot.conf

By: Heikki Orsila

Heikki Orsila — Sun, 26 Jul 2009 16:47:58 +0000

ssh-copy-id command is an easier way to copy your public key to a server:

ssh-copy-id -i ~/.ssh/id_dsa.pub user@host

By: Lexsys

Lexsys — Fri, 19 Jun 2009 08:11:21 +0000

I have a problem with my rsnapshot configuration. If I enter your command into rsnapshot.conf file, I get an error:
ERROR: cmd_preexec source /home/lexsys/.keychain/dev-server-sh - "source" is not executable or can't be found. Please use an absolute path.

I created an executable 1.sh, placed the command into this file and write in rsnapshot.conf:
cmd_preexec /root/1.sh

Everything works fine.

By: Ulver

Ulver — Mon, 08 Jun 2009 13:11:31 +0000

another interesting way to protect ssh, is chroot them, but it depends of the particulary needs of each one

By: Colin

Colin — Sat, 06 Jun 2009 22:20:56 +0000

I think I found a typo.
“OpenSSH sshd server offers two additional option to protect abuse of keys. First, make sure root login disabled (PermitRootLogin yes).”