[Dirvish] dirvish and root password

michael linux at networkingnewsletter.org.uk
Tue Sep 20 06:59:44 PDT 2005


On Tue, 2005-09-20 at 09:52 -0400, Jon Radel wrote:
> michael wrote:
> > On Tue, 2005-09-20 at 13:59 +0100, Brian Scanlan wrote:
> > 
> >>Hi,
> >>
> >>On 9/20/05, michael <linux at networkingnewsletter.org.uk> wrote:
> >>
> >>>I'm guessing that I should also be setting up a 'dirvish' user on both
> >>>the server and each/every client (!), changing permissions, running (3)
> >>>as dirvish?
> >>
> >>>From /usr/share/doc/dirvish/HOWTO.Debian.gz - 
> >>
> >>"- If running dirvish over the network is intended, you may want to investigate
> >>  setting up ssh so that rsync will run over ssh without passwords or
> >>  passphrases being asked. This is basically an ssh FAQ... search for
> >>  authorized_keys and/or ssh-agent."
> >>
> >>Personally, I run dirvish from sudo as the "backup" user that's
> >>already created on Debian. My installation process for each server is
> >>the same, but also has a step like:
> >>
> >>4) mkdir ~backup/.ssh; cat > ~backup.ssh/authorized_keys (paste public
> >>key here) ; chown -R backup:backup ~backup/.ssh
> >>
> > 
> > 
> > 
> > I set up ssh logins from server (loginName1) to client (loginName2) but 
> > I was wondering about usernames and 'dirvish' user doesn't seem to be
> > set up by default:
> > 
> > michael at ratty:/data/mp3$ su dirvish
> > Unknown id: dirvish
> > 
> > Are you implying I should set up a user 'dirvish' on all machines and
> > use that and that then I will not be asked for root password on the
> > servers (since I have it not!)?
> 
> I'm curious, were you hoping to backup all files on the client machines? 

I'm thinking I may have missed something basic and obvious so I'll
reread the HowTo etc but I wish to back up all of /home on a remote
machine so yes, not just my files but all user files. I do have 'sudo'
on the remote but it's not my machine (altho am responisble for backups)
so don't have the root password. I was just astounded when 'dirvish
--init' asked for the client's root password - must have missed that
requirement in the docs!


>   Unless you have sudo privileges broad enough so that you probably 
> could just set the root password and then put it back later, the lack of 
> root password strikes me as incompatible with configuring things so that 
> rsync runs as root or equivalent.
> 
> In any case, the primary message I took away from Brian Scanlan's answer 
> was that you should consider using certificates with ssh.  Then you 
> don't need to give any password for the client side.  If you don't 
> encrypt the private side with a key, you don't have to give a pass 
> phrase on the server side at run time either.  While certificates are 
> not a perfect solution, I suspect that the consensus would be that they 
> beat hard coding passwords, particularly root passwords, into the 
> scripts on the server side.

Yes I do understand but it's a question of which users on the server and
client to do this for and under which user to run 'dirvish'

> After that the consensus gets a bit looser.  Many feel that using a 
> "dirvish" user on the client side with sudo is the best way to proceed. 
>   I've never been convinced that this is fundamentally much more secure 
> than using a certificate that is locked down pretty tight on the client 
> side ssh server, in other words, is configured to not allow general 
> logins, but only access to the rsync command.
> 
> --Jon Radel
> jon at radel.com
> _______________________________________________
> Dirvish mailing list
> Dirvish at dirvish.org
> http://www.dirvish.org/mailman/listinfo/dirvish
-- 
Michael Bane
Atmospheric Physics Group
University of Manchester



More information about the Dirvish mailing list