SSH Connection

Bill Tangren bjt at aa.usno.navy.mil
Thu Jun 2 17:08:14 UTC 2005 

Kelley.Coleman at med.va.gov wrote:
> I would like to run a script on box A that connects to box B, executes a
> script there, then returns to complete the original script.  The user
> accounts are different on each box.  Box A user is 'oracle', box B user is
> 'ias'.
> 
> I tried:
> 
> ssh servername -l ias /u01/ias/scripts/test_script.sh
> 
> but I'm prompted for a password.
> 
> I tried putting the password into the script where it seems to want it, but
> again, I'm prompted for a password and it processes the password in the
> script as a command.
> 
> Do I need to do something in the ssh_config?  known_hosts? authorized_keys?
> 
> I'm not thrilled with the thought of having the password in a script file.
> So if there's a better way, I'm all for hearing it!
> 
> Thanks in advance...
> 
> Kelley Coleman
> Database Administrator
> VA Health Administration Center
> Denver, Colorado
> 303-331-7521-o
> 888-732-8802-p
> 720-319-0454-c
> 

I have several servers that I use as hot backups of our production 
servers. This is what I do to automate the backups in as secure way as 
possible. You should be able to modify this to suit your needs.

Step 1:

Server A is the production server. Server B is the data backup. As root 
on server B, generate a key, and give it a unique name, and don't enter 
a passphrase (just hit enter):

# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
/root/.ssh/id_rsa_A_backup
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa_A_backup.
Your public key has been saved in /root/.ssh/id_rsa_A_backup.pub.
The key fingerprint is:
ee:19:aa:f5:ac:62:dc:18:7d:cd:dd:9e:66:62:0d:98 root at B.com
#

Step 2:

Go to /root/.ssh, and ftp to A.com. Then cd to /root/.ssh/ (on A.com) 
and put the id_rsa_A_backup.pub file into that directory. Exit ftp.

Step 3:

Telnet into A.com, and cd to /root/.ssh/. If there is a file there 
called authorized_keys2, then:

Step 4:

# cat id_rsa_A_backup.pub >> authorized_keys2
#

If authorized_keys2 doesn't exist, then:

# mv id_rsa_A_backup.pub authorized_keys2
#

Step 5:

If you are doing a backup on B.com using rsync like this:

# rsync -avrz -e 'ssh -i /root/.ssh/id_rsa_A_backup' A.com:/home/ 
/home/A/home/

then you need to add a line to authorized_keys2 like this:

command="rsync --server -avrz . /home/"

You MUST add this line immediately before the key you added to the end 
of this file. This line ties the key to the command you are going to run 
on B.com, so that if the key is stolen, the thief can only use it to run 
this command. They *shouldn't* be able to get general root access to 
your system.

Once you do this, you can run your command on B.com and see if it works. 
If it does, you can put it in a cron script to run automatically (on 
B.com).

HTH

More information about the redhat-list mailing list