Rsync passwordless ssh login Introduction
In this article you will learn about how to setup rsync passwordless login. The whole experiment was performed on CentOS7 . It can also be performed on other distribution of Linux and UNIX. Rsync passwordless login works by generating two keys in the local server, one private key and another public key. Public keys are copied to the remote server. This establishes a trust between the two servers for trouble-free synchronization of files and other documents. The two important tools of Linux which are used to accomplish the task are as follows.
- ssh-keygen - It generates two keys (Private & Public), Private key is used to determine the identity of the local server and the public key for determining the identity of remote hosts.
- ssh-copy-id - This tools is used to copy the public key from the local host to the remote host.
This tutorial is explained in details and step by step given to set up rsync passwordless ssh login.
How to take backup with rsync
Normally when you take backup with rsync tool you need to give the password of the remote server for the backup to process.
Also see a thorough tutorial on Rsync Linux examples.
Below is the example of general syntax of the rsync to take backup from local to a remote server. You have to give the source and the destination path. To take backup from local to remote server between two different OS (i.e. between Linux and Windows, you need to install third party application on Windows. Check out Rsync over ssh Windows
# rsync -avzb -e ssh /root/Maildir/ email@example.com:/home/techsakh/backup/ firstname.lastname@example.org's password: sending incremental file list ./ cur/ new/ tmp/ sent 797321 bytes received 2782 bytes 94129.76 bytes/sec total size is 5158361 speedup is 6.45
Step1. Generate ssh key
ssh-keygen tool is used to generate private key and public key on your local computer. Private key will be saved on your computer whereas you need to copy public key and paste it in the remote server for rsync passwordless login.
But is password less login is safe?
The answer is Password can be cracked with some hacking tool like brute force, but it is almost impossible to decrypt SSH keys alone with the brute force.
See the below example of creating a private and a public key. You will be asked to save the key to a file and enter passphrase, no need to give any password or passphrase, just press enter.
$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/john/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/john/.ssh/id_rsa. Your public key has been saved in /home/john/.ssh/id_rsa.pub.
To know more about ssh-keygen, see the man page.
$ man ssh-keygen
Check out the article mysql import dump to learn about importing dump in database.
Step2. Copy public key to remote server
Now copy the ssh public key from your local computer to the remote server for password less login. You will be asked to provide the remote server password for the last time.
'ssh-copy-id' tool is used to copy the public key to the remote server.
$ ssh-copy-id -i /home/john/.ssh/id_rsa.pub 192.168.0.8
The authenticity of host '192.168.0.8 (192.168.0.8)' can't be established. ECDSA key fingerprint is ################################################ Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys email@example.com's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh '192.168.0.8'" and check to make sure that only the key(s) you wanted were added.
Step3. Test your ssh connection without password
Before attempting for password less login with rsync, test your password less ssh login first. See the below example, you should get the similar output as given below.
$ ssh 192.168.0.8 Last login: Sun Sep 18 00:26:26 2016 from smtp.techsakh.com
Step4. Try rsync passwordless backup
Take the backup with rsync again, but this time it won't ask for any password.
# rsync -avzb -e ssh /root/Maildir/ firstname.lastname@example.org:/home/techsakh/backup/ sending incremental file list cur/ new/ tmp/ sent 797318 bytes received 2779 bytes 320038.80 bytes/sec total size is 5158361 speedup is 6.45
Also see rsync exclude-from tutorial to know how to exclude files and directories when taking backup.
Automate rsync passwordless backup
Use cron to automate the entire task of backup with rsync passwordless login. If you have a plan to take the backup on a daily basis, create a shell script and automate it with cron. Look at the following example.
Create a file called daily_backup inside cron.daily directory.
# cd /etc/cron.daily
# vi daily_backup
#!/bin/sh rsync -azvbp -e 'ssh -p 22' /root/Maildir/ email@example.com:/home/techsakh/backup/
After you have saved the file, change the permission of the file to executable.
# chmod +x daily_backup
Secure (ssh) rsync passwordless login
Copying the ssh public key to the remote server and enabling password less login is no doubt very secure, but if your ssh private key fell into the wrong hands, that wrong hand would also easily get the access of your other remote server from anywhere on the internet, and that would be hazardous.
The better choice is restricting the ssh-key and allowing the ssh-key only with specific IP in your remote server. See the below example.
Locate the file 'authorized_keys' in the remote server. This file is usually inside the directory .ssh/authorized_keys.
# locate authorized_keys
Open the file for edit
In my remote server the path of the file is given below. In your case the path may be different.
# vi /home/techsakh/.ssh/authorized_keys
The format of the authorized_keys file is.
options keytype base64-encoded-key comment
The keytype, base64-encoded-key and comment is pre defined inside the file. But you can edit the options section. In the options section you need to add the authorized IP and the domain. To add the IP you have to follow the format "from='pattern_list'". See the given example.
from="22.214.171.124,*.techsakh.com" ssh-rsa AABB2CGFTRMQSS243JUI.. firstname.lastname@example.org
In the above example login will only allow from the client if it comes from the IP 126.96.36.199 or with a host 'example.com' domain.
Here, Options---> from="188.8.131.52,*.techsakh.com" Keytype---> ssh-rsa Base64-encoded-key---> AABB2CGFTRMQSS243JUI.. Comment---> email@example.com