[Web4lib] Off-site backups and scripted SCP/SFTP
Keith D. Engwall
kengwall at catawba.edu
Tue Jul 25 16:49:25 EDT 2006
I've had several suggestions to use SSH, which I do see the benefit of. My question is still, though, how is authentication being handled for SSH?
The choices, to my understanding are:
1) authenticate on the fly (no keys)
2) use keys with no password protection on the keys
3) use keys with password protection on the keys
Based on my reading, #1 is not scriptable, #2 is a security risk, and #3 is only scriptable by jumping through some hoops using ssh-agent, which requires manually authenticating the key at some point after a reboot.
Which of these three methods (or other method if I am missing any) are people using when they use SSH?
Thanks,
Keith
-----Original Message-----
From: web4lib-bounces at webjunction.org [mailto:web4lib-bounces at webjunction.org]
Sent: Tuesday, July 25, 2006 1:32 PM
Cc: Web4Lib
Subject: Re: [Web4lib] Off-site backups and scripted SCP/SFTP
I recommend going with TAR over SSH instead of SCP. TAR will actually give you an exact copy where CP/SCP doesn't play nice with symbolic links. Just pipe TAR through an SSH pipe to another TAR on the remote machine.
tar cf - /data | ssh user at backup.system.org "cd /backup; tar xvpf -"
Works like a charm.
Another popular approach is to use RSYNC.
Francis Kayiwa wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On Jul 25, 2006, at 7:36 AM, Keith D. Engwall wrote:
>
>> I'm curious as to whether anyone is using commercial off-site backups
>> and if so, what service they are using.
>>
>> We've got about 5GB (mostly from our LIS), and would prefer to use
>> SFTP or SCP with keys (because of scripts).
>>
>> Also,
>> I've found some information online about setting up SSH Keys for
>> scripts, but it seems like either
>>
>> a) you have to not password protect the key
>>
>> or
>>
>> b) you have to manually enter the password after a reboot of the
>> computer (using ssh-agent or similar solution)
>>
>> I'm trying to find a third, in between method... where the password
>> is stored somewhere obscure. Obviously this is still a security
>> risk, but it's at least less of one than using cleartext ftp with the
>> username and password in the script.
>>
>> Any ideas?
>
> Why not use SSH instead of SFTP/SCP?
>
> SSH will pass STDIN through the encrypted session to STDOUT on the
> remote end. This takes care of it no? Also, forced commands permit
> immediate command execution method through normal shell notation
>
> To specify a forced command to a system using OpenSSH, one prepends
> 'command="some command" to the beginning of the line containing the
> public key. Other SSH servers may use different syntax. Consult your
> documentation on the correct format, or start using OpenSSH :-)
>
> I would probably use dd for something like this. Mostly to protect the
> user from overwriting the public keys.
>
> command="/usr/bin/dd of=/path/to/file"
>
> This assuming you are using "put" (to borrow from FTP parlance)
>
> otherwise
>
> command="dd if=/file/to/send" for "get."
>
> All the above would be the modification at the "server" end.
>
> On the client end
>
> "cat file | ssh remotehost"
>
> or on Windows using putty
>
> "type file | plink remotehost"
>
> Depending on if the outside datacenter accepts SSH connections you may
> need a "Man in the Middle" host but we would be getting way ahead of
> ourselves. :-)
>
> regards,
> ./fxk
>
> ===============
> Francis Kayiwa
> Library Systems Team
> 4-180, MC 234
> T: +1.312.996.2716
> W: http://www.uic.edu/~kayiwa
> Key: http://tigger.uic.edu/~kayiwa/kayiwa.gpg
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (Darwin)
>
> iD8DBQFExjfkN+YGKSXdLhkRAjLZAJ0ePy1g2fXzMONXPyH9yG94z8iUiwCeKutj
> UYUxhnRlo7jCXHrWDZhAvpg=
> =NoLv
> -----END PGP SIGNATURE-----
> _______________________________________________
> Web4lib mailing list
> Web4lib at webjunction.org
> http://lists.webjunction.org/web4lib/
--
Joerg Messer
Programmer/Analyst
University of British Columbia Library
2206 East Mall, Vancouver, BC, Canada, V6T 1Z3 t. 1.604.822.5091 f. 1.604.822.3201 e. joerg.messer at ubc.ca _______________________________________________
Web4lib mailing list
Web4lib at webjunction.org
http://lists.webjunction.org/web4lib/
More information about the Web4lib
mailing list