Practicality of backing up huge hard drives (was Re: [mythtv-users] Dieing Hard Drive)

[Brian J. Murrell]

On Tue, 2005-03-15 at 10:32 -0500, Cory Papenfuss wrote:
> I would like an automated backup 
> to connect to that agent and use the key that's passphrase-protected.

There are (arguably) better ways to do this and security issues with
what you propose.

>  	Hope that makes sense.  It's quite possible that what I'm trying 
> to do is stupid and I'd realize it if I thought all the way through it. 
> All I know is if I type 'backup_script" logged in normally, I've got my 
> passphrase-protected key exchange that doesn't require a password.

Right, because all processes that descend from your "ssh-agent
<command>" inherit the environment variable (SSH_AUTH_SOCK) that
describes the socket to access your ssh-agent if they need to.  Realize
that anything on the system that is running the agent (or any system you
allow agent forwarding to) can access your keys if they know this socket
and have permission to access it (i.e. root).

Because when you run the backup command in your ssh-agent parented
shell, it has access to the agent socket it works.  Run it from
somewhere that is not a descendant of your agent it does not have access
to the agent it does not work.

> If I 
> put it in a script, notsomuch.

Right.  As per the above.

IMHO, the right way to do this is to use the "forced command" option in
the authorized_keys file.  See the manpage for sshd under the
"AUTHORIZED_KEYS FILE FORMAT" section and create a key on the backup
server that is forced to run only one command and then use the private
portion of that key without a passphrase on your client.

b.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mythtv.org/pipermail/mythtv-users/attachments/20050315/35c7f27a/attachment.pgp