Re: [gentoo-user] {OT} rdiff-backup: push or pull?

[Alan McKinnon <alan.mckinnon@gmail.com>]

On Fri 19 August 2011 12:58:10 Grant did opine thusly:
> >> Is the purpose of the Host block in .ssh/config to store the
> >> hostname of the backup server so it doesn't need to be used
> >> directly in the rdiff-backup command?
> > 
> > It forces key-based authentication when connecting to the backup
> > server. The default is password-based, which obviously won't
> > work in a cron job.
> I don't use an .ssh/config at all and I'm not prompted for a
> password if the keys are in place.  My sshd_config is pretty much
> default and my normal user is prompted for a password.


sshd can use various schemes for user authentication. The overall 
process is:

user connects
user is authenticated somehow
user's shell is launched

The middle step is highly variable. sshd can do all of it itself using 
only keys, or it could be happy with password authentication, it can 
even use PAM and obey whatever yes/no result PAM comes back with. 

sshd runs as root (therefore with access to /etc/shadow) so it could 
even validate passwords itself if it wanted, bypassing login and PAM 
entirely. This is of course a silly idea, but still technically 
feasible.
.
.ssh/config is only useful when the user desires options different 
from the global defaults in /etc/ssh/sshd_config, or wants to do extra 
actions for specific destination hosts



> 
> >> Why create a password for the backup user?  Doesn't that open
> >> up the possibility of someone logging in as that user, when
> >> otherwise the account would only be used for backing up
> >> files?
> > 
> > It might work without one; in these instructions the
> > machine-to-be-backed-up never connects to the backup server as
> > root, and so you need a way to SCP stuff to the backup server.
> > I usually use a `pwgen 16` password for these accounts and then
> > immediately forget it, so nobody will log in to them for a few
> > billion years at least.
> > 
> > Does key-based authentication work with no password? I've never
> > tried.
> It does! :)
> 
> - Grant
-- 
alan dot mckinnon at gmail dot com