[lbackup-discussion] Backup server and ssh permitrootlogin settings

[Scott Haneda]

On Oct 11, 2009, at 5:00 PM, henri wrote:

>> Thanks for the links, I will read them over later this evening.  I  
>> thought about going to the ssh mailing list.   I have had long  
>> going issues with trying to understand ssh_agent and how to get it  
>> to drop my credentials out of the keychain on sleep, which seems  
>> darn near impossible.
>
> If you are on Mac OS X then there is a program called SSHKeychain. I  
> believe that this program supports this option. It would be worth  
> while looking into the use of SSHKeychain.

You may be able to guess the depths to which I have been down this  
road :)
That app has not been developed much in a while, and last I heard it  
leaked a little, and has not seen any updates.  I do not suspect it  
will work well on Snow.  I could be wrong.  I did reach out to the  
developer to see just how he is unloading the keys from ssh-agent on  
sleep, but was not able to get a reply.

I was able to write some scripts that would be able to detect wake and  
sleep, so if I could just figure out how to get ssh-agent to forget  
the keys, I would be in busines.

This blog post is has as much as anyone has put up on the matter:
http://www.dribin.org/dave/blog/archives/2007/11/28/ssh_agent_leopard/

The follow up is even better:
http://www.dribin.org/dave/blog/archives/2007/11/28/securing_ssh_agent/

The trouble is launchctl stop org.openbsd.ssh-agent does not unload  
the keys.  I have been much more brute force about it, and even  
completely killed the agent.  I finally gave up.

>> You would think unloading the launchd item would do it, but  
>> apparently there is more to it than that.  I took that issue to the  
>> ssh mailing list, and did not get too far.
>
> I see. Are you setting this up on Mac OS X?

Correct.  I have found an acceptable enough workaround.  My trouble is  
I manage a lot of servers, and if someone were to get my laptop, it  
would only take a trip to known_hosts to know where I connect to, and  
as long as my machine has only slept, they could get right in.

I do know, if my laptop is ever taken, I can always login to the  
remote machine, and revoke all keys.  There is also the fact that most  
would be thieves are probably not going to be sysadmins :-)

>> As soon as I find an acceptable way to do remove backups with rsycn  
>> over ssh, where I can backup the entirety of / to a remote system,  
>> I will post my instructions on how to do so here.
>>
>> From there, I imagine it should not be hard for me to integrate  
>> that into lbackup scripts.
>
> You may find that the hard linking may be quite complex. However, if  
> you work out how to achieve this then I would be most interested.

Yeah, and it is even a little different in OS X, in that from what I  
can gather from the man pages, hard links to directories are followed,  
probably as a way to help Time Machine along.  I am not sure you  
recall, but there was a case with lBackup where a hard link was being  
recursed to the point that if I had let it run long enough, I would  
have ran out of volume space.

I seem to recall there was a rsync flag I could add to prevent this  
from happening.  Or I can just exclude /Volumes, which is where to the  
best of my knowledge, where the recursion issues were coming from.  I  
can tell you, it took one heck of a long time to delete that backup  
folder since I let it run a few hours :)

I will gather all my data and report it back here, so you can perhaps  
add it to your Web site for others.
Thank you for your help.
-- 
Scott