[Dirvish] dirvish and root password
linux at networkingnewsletter.org.uk
Tue Sep 20 06:59:44 PDT 2005
On Tue, 2005-09-20 at 09:52 -0400, Jon Radel wrote:
> michael wrote:
> > On Tue, 2005-09-20 at 13:59 +0100, Brian Scanlan wrote:
> >>On 9/20/05, michael <linux at networkingnewsletter.org.uk> wrote:
> >>>I'm guessing that I should also be setting up a 'dirvish' user on both
> >>>the server and each/every client (!), changing permissions, running (3)
> >>>as dirvish?
> >>>From /usr/share/doc/dirvish/HOWTO.Debian.gz -
> >>"- If running dirvish over the network is intended, you may want to investigate
> >> setting up ssh so that rsync will run over ssh without passwords or
> >> passphrases being asked. This is basically an ssh FAQ... search for
> >> authorized_keys and/or ssh-agent."
> >>Personally, I run dirvish from sudo as the "backup" user that's
> >>already created on Debian. My installation process for each server is
> >>the same, but also has a step like:
> >>4) mkdir ~backup/.ssh; cat > ~backup.ssh/authorized_keys (paste public
> >>key here) ; chown -R backup:backup ~backup/.ssh
> > I set up ssh logins from server (loginName1) to client (loginName2) but
> > I was wondering about usernames and 'dirvish' user doesn't seem to be
> > set up by default:
> > michael at ratty:/data/mp3$ su dirvish
> > Unknown id: dirvish
> > Are you implying I should set up a user 'dirvish' on all machines and
> > use that and that then I will not be asked for root password on the
> > servers (since I have it not!)?
> I'm curious, were you hoping to backup all files on the client machines?
I'm thinking I may have missed something basic and obvious so I'll
reread the HowTo etc but I wish to back up all of /home on a remote
machine so yes, not just my files but all user files. I do have 'sudo'
on the remote but it's not my machine (altho am responisble for backups)
so don't have the root password. I was just astounded when 'dirvish
--init' asked for the client's root password - must have missed that
requirement in the docs!
> Unless you have sudo privileges broad enough so that you probably
> could just set the root password and then put it back later, the lack of
> root password strikes me as incompatible with configuring things so that
> rsync runs as root or equivalent.
> In any case, the primary message I took away from Brian Scanlan's answer
> was that you should consider using certificates with ssh. Then you
> don't need to give any password for the client side. If you don't
> encrypt the private side with a key, you don't have to give a pass
> phrase on the server side at run time either. While certificates are
> not a perfect solution, I suspect that the consensus would be that they
> beat hard coding passwords, particularly root passwords, into the
> scripts on the server side.
Yes I do understand but it's a question of which users on the server and
client to do this for and under which user to run 'dirvish'
> After that the consensus gets a bit looser. Many feel that using a
> "dirvish" user on the client side with sudo is the best way to proceed.
> I've never been convinced that this is fundamentally much more secure
> than using a certificate that is locked down pretty tight on the client
> side ssh server, in other words, is configured to not allow general
> logins, but only access to the rsync command.
> --Jon Radel
> jon at radel.com
> Dirvish mailing list
> Dirvish at dirvish.org
Atmospheric Physics Group
University of Manchester
More information about the Dirvish