RSYNC: How to give SSH password over multiple calls - Mandriva

This is a discussion on RSYNC: How to give SSH password over multiple calls - Mandriva ; When using rsync (+ ssh) from client to server on a LAN, one has to enter a password for user@server. When several such rsync calls are being made, it gets tedious having to enter the same password over and over ...

+ Reply to Thread
Results 1 to 12 of 12

Thread: RSYNC: How to give SSH password over multiple calls

  1. RSYNC: How to give SSH password over multiple calls

    When using rsync (+ ssh) from client to server on a LAN, one has to
    enter a password for user@server.

    When several such rsync calls are being made, it gets tedious having
    to enter the same password over and over again.

    Although 'man rsync' does mention a password facility, it does not
    seem to apply to the rsync use of ssh.

    Anyone know of a neat way of avoiding the tedium?

    --
    /\/\aurice
    Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
    KDE 3.5.7 Virtualbox 1.5.6
    (Remove 'removethis.' to reply by email)

  2. Re: RSYNC: How to give SSH password over multiple calls

    Maurice Batey writes:

    >When using rsync (+ ssh) from client to server on a LAN, one has to
    >enter a password for user@server.


    Why not use passwordless ( asymmetric key) login?
    cd .ssh
    ls id_rsa*
    ls id_dsa*
    Then copy the content of id_{rsa,dsa}.pub to the .ssh/authorized_hosts
    on the server.

    >When several such rsync calls are being made, it gets tedious having
    >to enter the same password over and over again.


    >Although 'man rsync' does mention a password facility, it does not
    >seem to apply to the rsync use of ssh.


    >Anyone know of a neat way of avoiding the tedium?


    >--
    >/\/\aurice
    > Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
    > KDE 3.5.7 Virtualbox 1.5.6
    >(Remove 'removethis.' to reply by email)


  3. Re: RSYNC: How to give SSH password over multiple calls

    On Sat, 23 Aug 2008 17:08:16 +0000, Unruh wrote:

    > cd .ssh
    > ls id_rsa*
    > ls id_dsa*


    Did this on laptop (same result on desktop):

    [mab@desktop ~]$ cd .ssh
    [mab@desktop .ssh]$ ls id_rsa*
    ls: cannot access id_rsa*: No such file or directory
    [mab@desktop .ssh]$ ls id_dsa*
    ls: cannot access id_dsa*: No such file or directory
    [mab@desktop .ssh]$ ls
    known_hosts
    [mab@desktop .ssh]$

    So only file in .ssh is known_hosts!

    --
    /\/\aurice
    (Remove 'removethis.' to reply by email)

  4. Re: RSYNC: How to give SSH password over multiple calls

    On Sat, 23 Aug 2008 17:46:48 +0000 (UTC), Maurice Batey wrote:
    > [mab@desktop ~]$ cd .ssh
    > [mab@desktop .ssh]$ ls id_rsa*


    In a nutshell, you need to run ssh-keygen and ssh-copy-id.


    Here is a quick dump from my hardcopy brain book from comments found
    lurking in newsgroups, and little bit of googling.

    $ uh ssh
    ssh01 mkdir ~/.ssh
    ssh02 cd ~/.ssh
    ssh03 chmod 700 .
    ssh04 chmod 600 *
    ssh05 ssh-keygen -t rsa/dsa to generate passphrase key which will be stored in
    ssh06 the ~/.ssh/id_* files. All RSA/DSA keys listed in file will
    ssh07 be able to log in as you after completing RSA authentication.
    ssh08 If you are doing this for auto login via ssh, do not supply a password.
    ssh09 ssh-copy-id -i of your ~/.ssh/id_*.pub whoever@target.node
    ssh11 Repeat this process for every ID on every machine you wish to
    ssh12 use your *SA key for. For instance, if you wanted to log in as
    ssh13 "sysadmin" on the system "remotehost", you would copy the data from
    ssh14 your identity.pub file into the ~/.ssh/authorized_keys file on
    ssh15 "remotehost".
    ssh16 Always set protection tight
    ssh17 cd ~/.ssh
    ssh18 chmod 700 .
    ssh19 chmod 600 *
    ssh50 Adding to ssh
    ssh51 obiwan@sshclient:~$ ssh-keygen -t dsa
    ssh52 obiwan@sshclient:~$ ssh-copy-id -i ~/.ssh/id_dsa.pub root@$(hostname)
    ssh53 obiwan@sshclient:~$ ssh root@$(hostname)


  5. Re: RSYNC: How to give SSH password over multiple calls

    On Sat, 23 Aug 2008 15:07:47 +0000 (UTC),
    Maurice Batey wrote:

    > When using rsync (+ ssh) from client to server on a LAN, one has to
    > enter a password for user@server.
    >
    > When several such rsync calls are being made, it gets tedious having
    > to enter the same password over and over again.
    >
    > Although 'man rsync' does mention a password facility, it does not
    > seem to apply to the rsync use of ssh.
    >
    > Anyone know of a neat way of avoiding the tedium?


    You want to set up passwordless SSH authentication with keys, as Unruh
    has suggested. Another useful feature of SSH that's worth knowing about,
    one that lets you preset just about every other command-line SSH option
    except passwords on a per-target basis, is your ~/.ssh/config file.

    For example, let's say that you run sshd on a non-standard port on the
    target machine (as I do, because the box in question is the one system
    on the LAN which accepts connections from the outside world, and doing
    that basically eliminates the script kiddies' attempts to brute-force
    guess their way in, and the accompanying clutter in the log files), and
    let's further postulate that the usernames on the two boxes differ.

    So, every time you connect to it now, it's with a line like this one:

    ssh -p 10022 userthere@servername

    And an rsync to/from it would currently require this unwieldy line:

    rsync -e "ssh -p 10022" userthere@servernameath

    Here's what I'd put in ~/.ssh/config on the originating system:

    Host nick
    Hostname servername
    Port 10022
    User userthere

    Now, all you'd have to type to connect to that system is:

    ssh nick

    And to rsync to/from it, it'd now be just:

    rsync nickath

    To learn all the possible settings for this file, "man ssh_config".

    The file is employed by scp also, as well as by rsync when it's using
    SSH. In combination with use of RSA or DSA keys, a good ~/.ssh/config
    file makes use of SSH about as effortless as it can be made, IMHO. An
    important caveat is that when you create the file, it must be made
    unwritable for "other" in order for it to work (setting permissions on
    it with "chmod 600 ~/.ssh/config" works nicely, as does 660).

    HTH!

    --
    Bill Mullen
    RLU #270075



  6. Re: RSYNC: How to give SSH password over multiple calls

    Maurice Batey writes:

    >On Sat, 23 Aug 2008 17:08:16 +0000, Unruh wrote:


    >> cd .ssh
    >> ls id_rsa*
    >> ls id_dsa*


    >Did this on laptop (same result on desktop):


    >[mab@desktop ~]$ cd .ssh
    >[mab@desktop .ssh]$ ls id_rsa*
    >ls: cannot access id_rsa*: No such file or directory
    >[mab@desktop .ssh]$ ls id_dsa*
    >ls: cannot access id_dsa*: No such file or directory
    >[mab@desktop .ssh]$ ls
    >known_hosts
    >[mab@desktop .ssh]$


    >So only file in .ssh is known_hosts!


    OK, you have never created a key for yourself
    ssh-keygen -t rsa
    You can give a passphrase which will protect your id_rsa file so if someone
    breaks in they cannot find your private key. But you have to use something
    like ssh-askpass to remember that passphrase if you do not want to enter IT
    every time ( NOte this passphrase is not the same as the ssh key but is a
    passphrase to protect your local ssh key)

    Or you can decide to have no passphrase protecting this private key file,
    in which case if someone breaks in and copies your id_rsa file they can
    mimic you and can in principle read any ssh traffic into your machine.

    On the other hand you do not need anything then





    >--
    >/\/\aurice
    >(Remove 'removethis.' to reply by email)


  7. Re: RSYNC: How to give SSH password over multiple calls

    On Sat, 23 Aug 2008 17:08:16 +0000, Unruh wrote:

    > copy the content of id_{rsa,dsa}.pub to the .ssh/authorized_hosts
    > on the server.


    OK, did the ssh-keygen (without - for the time being -
    defining a passphrase), and now have id_rsa and id_rsa.pub
    - but no id_dsa file.

    Questions:

    (1) ssh-keygen finished by saying I now have a (long!)
    'key fingerprint'. What is that for?!

    (2) On the server (desktop) the only .ssh directory is in
    /home/mab, and it has no authorized_hosts file.
    Is that the right directory (i.e. not in root), in which
    case is it simply a matter of creating that file in that
    ..ssh directory?

    (3) Nowhere has the process asked for the password of
    mab@serv that I have been having to enter at each ssh or
    rsync call. How does the new setup replace the need for
    that?

    --
    /\/\aurice
    (Remove "removethis." to reply by email...)


  8. Re: RSYNC: How to give SSH password over multiple calls

    On Sun, 24 Aug 2008 15:46:07 +0100,
    Maurice Batey wrote:

    > On Sat, 23 Aug 2008 17:08:16 +0000, Unruh wrote:
    >
    > OK, did the ssh-keygen (without - for the time being -
    > defining a passphrase), and now have id_rsa and id_rsa.pub
    > - but no id_dsa file.


    You only need one or the other type of key (RSA or DSA). The only
    difference is the algorithm used to create them.

    > Questions:
    >
    > (1) ssh-keygen finished by saying I now have a (long!)
    > 'key fingerprint'. What is that for?!


    For your purposes, nothing at all but extraneous information.

    > (2) On the server (desktop) the only .ssh directory is in
    > /home/mab, and it has no authorized_hosts file.
    > Is that the right directory (i.e. not in root), in which
    > case is it simply a matter of creating that file in that
    > .ssh directory?


    The "ssh-copy-id" command will do that for you. Run:

    ssh-copy-id -i id_rsa.pub mab@serv

    Give the mab@serv password when asked, and that'll be the last time
    you'll need to do that (and the file that will be created there is
    called ".ssh/authorized_keys", not ".ssh/authorized_hosts").

    > (3) Nowhere has the process asked for the password of
    > mab@serv that I have been having to enter at each ssh or
    > rsync call. How does the new setup replace the need for
    > that?


    By comparing the private key inside your source system's .ssh/ folder
    (id_rsa) with the public key within the target's authorized_keys file
    (id_rsa.pub from the source). If they correspond, you get in. You will
    continue to get in even if you change the user's password on the target
    system, because you're no longer using passwords for SSH, just keys.

    HTH!

    --
    Bill Mullen
    RLU #270075



  9. Re: RSYNC: How to give SSH password over multiple calls

    Maurice Batey writes:

    >On Sat, 23 Aug 2008 17:08:16 +0000, Unruh wrote:


    >> copy the content of id_{rsa,dsa}.pub to the .ssh/authorized_hosts
    >> on the server.


    >OK, did the ssh-keygen (without - for the time being -
    >defining a passphrase), and now have id_rsa and id_rsa.pub
    >- but no id_dsa file.


    That is because you told it to (-t rsa) to generate an rsa file. That is
    fine, you need only one or the other, not both.


    >Questions:


    > (1) ssh-keygen finished by saying I now have a (long!)
    > 'key fingerprint'. What is that for?!


    It is a way of identifying your key-- a name for it which is much shorter
    than the key itself. DO not worry about it.


    > (2) On the server (desktop) the only .ssh directory is in
    >/home/mab, and it has no authorized_hosts file.


    make one. You want a .ssh directory (permissions 700) and and
    authorized_hosts file in that directlry for whatever user you want to log
    in as.

    > Is that the right directory (i.e. not in root), in which
    >case is it simply a matter of creating that file in that
    >.ssh directory?


    I do not know. Is the user mab the one that you want to ssh into? Make it
    for whatever user you want to use.


    > (3) Nowhere has the process asked for the password of
    >mab@serv that I have been having to enter at each ssh or
    >rsync call. How does the new setup replace the need for
    >that?


    The new setup replaces that with those key files. Your machine asks the
    remote machine "do you have an authentication for me?" The remote machine says
    :yes, I have an entry for the user and the machine you claim to be. It then
    uses that rsa.pub key to encrypt (using rsa) a string containing a random
    number your server sent to it. Your server then decrypts it and sees if
    that random number is the same as it sent. If it is then it knows that the
    remote macine has that public key file on it. Your server then sends to the
    remote machine another random number encrypted with the private key on your
    machine. the remote machine decrypts that using the public key and
    determines that your machine and user has the private key file
    corresponding to the public key. It thus is assured that you are the one
    allowed to log in, and allows you to log in.

    It never goes through the passwd/shadow file or the usual password system.
    Note that the security depends on keeping the private key file safe ( thus
    the 600 on the directory and, if you elect to do so, the passphrase
    protection of that private key file (id_rsa) on your machine.)



    >--
    >/\/\aurice
    >(Remove "removethis." to reply by email...)



  10. Re: RSYNC: How to give SSH password over multiple calls

    On Sun, 24 Aug 2008 11:34:11 -0400, Bill Mullen wrote:

    > and the file that will be created there is
    > called ".ssh/authorized_keys", not ".ssh/authorized_hosts").


    Ah - thank you for that! I had tried it with the other
    name and it didn't work.
    (I used rsync to get the id_rsa file over, then ssh'd in
    and renamed it. Have now re-renamed it.)

    Now working perfectly - great!
    Many thanks to all who helped! Much appreciated...

    P.S. I did come across a kind of tutorial on subject
    (though not as helpful as advice in here...):

    http://www.ucolick.org/~sla/ssh/sshcron.html

    --
    /\/\aurice
    (Remove "removethis." to reply by email...)


  11. Re: RSYNC: How to give SSH password over multiple calls

    On Sun, 24 Aug 2008 17:41:00 +0100,
    Maurice Batey wrote:

    > On Sun, 24 Aug 2008 11:34:11 -0400, Bill Mullen wrote:
    >
    > > and the file that will be created there is
    > > called ".ssh/authorized_keys", not ".ssh/authorized_hosts").

    >
    > Ah - thank you for that! I had tried it with the other
    > name and it didn't work.
    > (I used rsync to get the id_rsa file over, then ssh'd in
    > and renamed it. Have now re-renamed it.)


    Good. Bear in mind that should you choose to set up key-based SSH
    logins from other machines to that same username on the server (or
    from other usernames on the same source machine to that same username
    on the server), that method won't work, as it completely replaces the
    file rather than appending the latest public key to it; in the future,
    using the "ssh-copy-id" method instead will avoid that problem.

    --
    Bill Mullen
    RLU #270075



  12. Re: RSYNC: How to give SSH password over multiple calls

    On Sun, 24 Aug 2008 13:41:39 -0400, Bill Mullen wrote:

    > that method won't work, as it completely replaces the file rather than
    > appending the latest public key to it; in the future, using the
    > "ssh-copy-id" method instead will avoid that problem.


    I actually did realise that, Bill, but thanks for making sure!

    --
    /\/\aurice
    http://www.maurice99.ukfsn.org
    (Remove 'removethis.' to reply by email)

+ Reply to Thread