Automated ssh-agent

[nitmd]

I'm running a backup server and am working on using rsnapshot (was using bacula, but for this particular application I think rsnapshot is a better fit).

I have set up rsa key authentication to the machine to be backed up, but I am using passphrases. I understand ssh-agent will allow me to ssh without entering the passphrase, which is what needs to be done. I have run ssh-agent manually and it does work.

What I am having trouble figuring out is how to load ssh-agent on boot so that this process never needs my intervention. I've found lots of articles for linux, but have not tracked down FreeBSD information that I can understand. I am coming from an archlinux background, and have not quite mastered the BSD way of doing some things; in particular, I haven't figured out the csh differences. (This needs to be a root login over ssh).

 

[gkontos]

I think that security/autossh might be what you are looking for. If you want this to start at boot you could write an rc start up script. Or you can just add it in your crontab
Have a look ad the end here on how to do this.

 

[phoenix]

There's also security/keychain. That allows you to enter the passphrases for each key once, and they are stored in RAM until you logout.

 

[nitmd]

I'll take a look at autossh. The thing about keychain is that I don't login to the backup server in order to do backups, that's automated to run in the middle of the night. I wouldn't want to leave an open root login on the machine.

 

[Fred]

I have set up rsa key authentication to the machine to be backed up, but I am using passphrases. [...] What I am having trouble figuring out is how to load ssh-agent on boot so that this process never needs my intervention.

If you want the backup to run unattended, then don't use passphrases to protect the keys... If you are afraid of the keys being stolen and used by an attacker, then there are at least two solutions:

• use the command= options in the authorized_keys file (see sshd(8), section "AUTHORIZED_KEYS FILE FORMAT"). See also the from= option.
• set the login shell of the user accepting those keys to a shell script that run the backup (you may have to add this script to /etc/shells).

The thing about keychain is that I don't login to the backup server in order to do backups, that's automated to run in the middle of the night. I wouldn't want to leave an open root login on the machine.

The default behaviour of keychain is to run ssh-agent once, and then to "recover" the session on subsequent runs. You would need to enter the passphrase to your keys once, then logout, and then the keys are available to your backup script.

 

[phoenix]

You can also use password-less keys, and security/sudo to accomplish the same thing. This is what we do for our backups.

The backups user on the remote systems are normal, low-privilege users. The password for the backups user is set to * manually in passwd(5) so that no local logins are allowed. And sshd_config(5) is set to not allow password logins (only key logins). sudoers(5) is configured so that the backups user can run the backup command as root, without a password. No other privileges are allowed in the sudo setup.

On the backups server, the key file is only readable by root, and the backups process is executed by root (but the remote logins are done as the backups user).