Date: Wed, 16 Nov 2005 14:15:59 +0100 From: Olaf Greve <o.greve@axis.nl> To: freebsd-questions@freebsd.org Subject: How to properly set-up an SSH tunnel on FreeBSD for automatic backups Message-ID: <437B310F.8070501@axis.nl>
next in thread | raw e-mail | index | archive | help
Hi, I'm trying to set-up an SSH tunnel between two FreeBSD machines, over a direct cross-wire connection between the two, and I'm having issues in doing so. The question(s) I have is/are probably not FreeBSD specific, but still I hope someone can answer it/them... The situation: I have two servers (one live, and one staging/fall-back server), and between the two of those I have set-up a local network. The live machine is 192.168.1.1 and the fall-back machine is 192.168.1.2. Now, I have already figured out how to synch the files using rsync, and in order to automatically down-synch the live MySQL database to the fall-back machine at specific times a day, I want to be able to run (from the live server) a script that performs commands like this one: ssh 192.168.1.2 "mysqladmin -f drop $database" The followed approach: In order to be able to run this as root from a cron job, without having to type a password, I tried doing the following (which can be found all over the Internet). -On 192.168.1.2: as root generate a (passphrase-less) public RSA key (i.e. ssh-keygen -t rsa), and in /etc/ssh/sshd_config add a line like AllowUsers root@192.168.1.1 olaf -On 192.168.1.2 I created the file ~/.ssh/authorized_keys and added the public key of 192.168.168.2 to it The problem: Even after doing a kill -s HUP <sshd pid> on both machines, I still cannot SSH without being asked for a password. :( Surely this must be something in my SSHD configuration on 192.168.1.2 (or at least so I think). The question(s): -Does anyone know how to properly achieve this, without opening up the fall-back machine to the outside world (it is OK if it's open to 192.168.1.1)? -Does anyone see anything wrong in the below (partially) listed sshd_config options? Additional info: I fiddled around somewhat with /etc/ssh/sshd_config on 192.168.168.2, and I tried various combinations of allowing disallowing the below (all to no avail): PermitRootLogin yes AllowUsers root@192.168.1.1 olaf RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys Are these the only options that should be manipulated for this, and if so, how? Or should I also change some of the below (or other) sshd-config settings? #StrictModes yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable PAM authentication #ChallengeResponseAuthentication yes # rhosts authentication should not be used #RhostsAuthentication no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no Thanks in advance, and cheers! Olafo
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?437B310F.8070501>