[lbackup-discussion] Backup server and ssh permitrootlogin settings
Scott Haneda
reply to this message via the mailing list
Mon Oct 12 13:37:52 NZDT 2009
On Oct 11, 2009, at 5:00 PM, henri wrote:
>> Thanks for the links, I will read them over later this evening. I
>> thought about going to the ssh mailing list. I have had long
>> going issues with trying to understand ssh_agent and how to get it
>> to drop my credentials out of the keychain on sleep, which seems
>> darn near impossible.
>
> If you are on Mac OS X then there is a program called SSHKeychain. I
> believe that this program supports this option. It would be worth
> while looking into the use of SSHKeychain.
You may be able to guess the depths to which I have been down this
road :)
That app has not been developed much in a while, and last I heard it
leaked a little, and has not seen any updates. I do not suspect it
will work well on Snow. I could be wrong. I did reach out to the
developer to see just how he is unloading the keys from ssh-agent on
sleep, but was not able to get a reply.
I was able to write some scripts that would be able to detect wake and
sleep, so if I could just figure out how to get ssh-agent to forget
the keys, I would be in busines.
This blog post is has as much as anyone has put up on the matter:
http://www.dribin.org/dave/blog/archives/2007/11/28/ssh_agent_leopard/
The follow up is even better:
http://www.dribin.org/dave/blog/archives/2007/11/28/securing_ssh_agent/
The trouble is launchctl stop org.openbsd.ssh-agent does not unload
the keys. I have been much more brute force about it, and even
completely killed the agent. I finally gave up.
>> You would think unloading the launchd item would do it, but
>> apparently there is more to it than that. I took that issue to the
>> ssh mailing list, and did not get too far.
>
> I see. Are you setting this up on Mac OS X?
Correct. I have found an acceptable enough workaround. My trouble is
I manage a lot of servers, and if someone were to get my laptop, it
would only take a trip to known_hosts to know where I connect to, and
as long as my machine has only slept, they could get right in.
I do know, if my laptop is ever taken, I can always login to the
remote machine, and revoke all keys. There is also the fact that most
would be thieves are probably not going to be sysadmins :-)
>> As soon as I find an acceptable way to do remove backups with rsycn
>> over ssh, where I can backup the entirety of / to a remote system,
>> I will post my instructions on how to do so here.
>>
>> From there, I imagine it should not be hard for me to integrate
>> that into lbackup scripts.
>
> You may find that the hard linking may be quite complex. However, if
> you work out how to achieve this then I would be most interested.
Yeah, and it is even a little different in OS X, in that from what I
can gather from the man pages, hard links to directories are followed,
probably as a way to help Time Machine along. I am not sure you
recall, but there was a case with lBackup where a hard link was being
recursed to the point that if I had let it run long enough, I would
have ran out of volume space.
I seem to recall there was a rsync flag I could add to prevent this
from happening. Or I can just exclude /Volumes, which is where to the
best of my knowledge, where the recursion issues were coming from. I
can tell you, it took one heck of a long time to delete that backup
folder since I let it run a few hours :)
I will gather all my data and report it back here, so you can perhaps
add it to your Web site for others.
Thank you for your help.
--
Scott
More information about the lbackup-discussion
mailing list