Announcement

**TheBigAmbulance** · Mar 06, 2011, 04:13 PM

Re: rsync two computers on my lan

Ok, finally set this up.

The part that is getting me is that I cannot get my rsync line to work without entering the pass phrase. I am setting up the public/private keys and I've followed the instructions here: https://help.ubuntu.com/community/SSH/OpenSSH/Keys

Any recommendations?

**TheBigAmbulance** · Mar 06, 2011, 05:23 PM

Re: rsync two computers on my lan

This is the debug I get when I log in. My main problem now is that I need to enter the passphrase every time I log in.

Code:

debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 192.168.1.99 port 42206
debug1: Client protocol version 2.0; client software version OpenSSH_5.5p1 Debian-4ubuntu5
debug1: match: OpenSSH_5.5p1 Debian-4ubuntu5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu5
debug1: permanently_set_uid: 113/65534
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user dpich service ssh-connection method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "dpich"
debug1: PAM: setting PAM_RHOST to "dp5-mark6.local"
debug1: PAM: setting PAM_TTY to "ssh"
Failed none for dpich from 192.168.1.99 port 42206 ssh2
debug1: userauth-request for user dpich service ssh-connection method publickey
debug1: attempt 1 failures 0
debug1: test whether pkalg/pkblob are acceptable
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-4096
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-4096
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /etc/ssh/dpich/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: matching key found: file /etc/ssh/dpich/authorized_keys, line 1
Found matching RSA key: c1:c2:33:23:8d:25:60:c3:7a:74:02:df:90:5a:68:4b
debug1: restore_uid: 0/0
Postponed publickey for dpich from 192.168.1.99 port 42206 ssh2
debug1: userauth-request for user dpich service ssh-connection method publickey
debug1: attempt 2 failures 0
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-4096
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-4096
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /etc/ssh/dpich/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: matching key found: file /etc/ssh/dpich/authorized_keys, line 1
Found matching RSA key: c1:c2:33:23:8d:25:60:c3:7a:74:02:df:90:5a:68:4b
debug1: restore_uid: 0/0
debug1: ssh_rsa_verify: signature correct
debug1: do_pam_account: called
Accepted publickey for dpich from 192.168.1.99 port 42206 ssh2
debug1: monitor_child_preauth: dpich has been authenticated by privileged process
debug1: PAM: establishing credentials
User child is on pid 5119
debug1: SELinux support disabled
debug1: PAM: establishing credentials
debug1: permanently_set_uid: 1000/1000
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_global_request: rtype [email]no-more-sessions@openssh.com[/email] want_reply 0
debug1: server_input_channel_req: channel 0 request pty-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_new: session 0
debug1: SELinux support disabled
debug1: session_pty_req: session 0 alloc /dev/pts/3
debug1: server_input_channel_req: channel 0 request env reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req env
debug1: server_input_channel_req: channel 0 request shell reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: Setting controlling tty using TIOCSCTTY.

**kubicle** · Mar 07, 2011, 03:28 AM

Re: rsync two computers on my lan

Originally posted by TheBigAmbulance

My main problem now is that I need to enter the passphrase every time I log in.

That's what the pass phrase is for, you need it to use the key.

If you're looking for automation, there are a few options for pass-phrase-less connections. It's a wide subject, but I'll give you a few pointers:

1. The "easiest" solution is to use a key without a pass phrase (empty pass phrase). This is potentially unsecure if your ssh server is accessible from the internet and someone steals your private key (or the machine that has it), because the key can be used to connect to your ssh server.

It is possible to limit keys in several ways on the server side "authorized_keys" file that can be used to make things more secure. You can, for example, create two keys (one with a pass phrase, and one without) and allow access with the pass-phraseless key only from an IP in your LAN network (and use the pass phrased key to connect from outside your LAN).

See 'man sshd', especially section "AUTHORIZED_KEYS FILE FORMAT"
This should be a good read as well: http://troy.jdmz.net/rsync/index.html

2. If you wish to use a pass phrased key, you can use ssh-agent/keychain to store your pass phrase so you don't have to provide the pass phrase every time you use the key.

See 'man ssh-agent', 'man ssh-add'

----

Summarizing general guidelines:
- If your ssh server is not accessible from outside your LAN, you should be fine with a pass phraseless key. even if someone steals they will not be able to use it to connect to your server from outside your LAN.
- If your ssh server is accessible from outside your LAN, a pass phraseless key is a security problem in the case someone gets their hands on the key (the same is true for a pass phrased key with a weak pass phrase). You can improve security by not allowing pass phraseless to access the server from outside your LAN and/or limiting the commands that can be run with the key and /or limiting access to your ssh server.
- If you use a pass phrased key, you can store the pass phrase with ssh-agent so you don't have to provide it every time you use the key.

Additional notes:
- Note that pass phrase doesn't affect the security of the connection itself (both type of keys provide an equally safe connection), pass phrase only affects who can use the key.
- Private keys (whether pass phrased or not) should be kept private. Don't hesitate to remove a compromised key from "authorized_keys" and create a new key pair if one is compromised.

**oshunluvr** · Mar 07, 2011, 04:45 AM

Re: rsync two computers on my lan

Have you seen this tutorial?

http://troy.jdmz.net/rsync/index.html

**kubicle** · Mar 07, 2011, 05:33 AM

Re: rsync two computers on my lan

Originally posted by oshunluvr

Have you seen this tutorial?

http://troy.jdmz.net/rsync/index.html

Originally posted by kubicle

This should be a good read as well: http://troy.jdmz.net/rsync/index.html

No harm in repetition, it's a good tutorial :P

**oshunluvr** · Mar 07, 2011, 05:44 AM

Re: rsync two computers on my lan

oops...

Announcement

rsync two computers on my lan

Comment

Comment

Comment

Comment

Comment

Comment