From owner-freebsd-questions@FreeBSD.ORG Wed Nov 16 13:16:18 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9CC7516A41F for ; Wed, 16 Nov 2005 13:16:18 +0000 (GMT) (envelope-from o.greve@axis.nl) Received: from yggdrasil.interstroom.nl (yggdrasil.interstroom.nl [80.85.129.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D06F43D5A for ; Wed, 16 Nov 2005 13:16:13 +0000 (GMT) (envelope-from o.greve@axis.nl) Received: from ip127-180.introweb.nl ([80.65.127.180] helo=[192.168.1.42]) by yggdrasil with asmtp (Exim 3.35 #1 (Debian)) id 1EcN8q-0004un-00; Wed, 16 Nov 2005 14:16:00 +0100 Message-ID: <437B310F.8070501@axis.nl> Date: Wed, 16 Nov 2005 14:15:59 +0100 From: Olaf Greve User-Agent: Mozilla Thunderbird 1.0.7-1.4.1.centos4 (X11/20051007) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-MailScanner-Information: Interstroom virusscan, please e-mail helpdesk@interstroom.nl for more information X-MailScanner-SpamCheck: Subject: How to properly set-up an SSH tunnel on FreeBSD for automatic backups X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Nov 2005 13:16:18 -0000 Hi, I'm trying to set-up an SSH tunnel between two FreeBSD machines, over a direct cross-wire connection between the two, and I'm having issues in doing so. The question(s) I have is/are probably not FreeBSD specific, but still I hope someone can answer it/them... The situation: I have two servers (one live, and one staging/fall-back server), and between the two of those I have set-up a local network. The live machine is 192.168.1.1 and the fall-back machine is 192.168.1.2. Now, I have already figured out how to synch the files using rsync, and in order to automatically down-synch the live MySQL database to the fall-back machine at specific times a day, I want to be able to run (from the live server) a script that performs commands like this one: ssh 192.168.1.2 "mysqladmin -f drop $database" The followed approach: In order to be able to run this as root from a cron job, without having to type a password, I tried doing the following (which can be found all over the Internet). -On 192.168.1.2: as root generate a (passphrase-less) public RSA key (i.e. ssh-keygen -t rsa), and in /etc/ssh/sshd_config add a line like AllowUsers root@192.168.1.1 olaf -On 192.168.1.2 I created the file ~/.ssh/authorized_keys and added the public key of 192.168.168.2 to it The problem: Even after doing a kill -s HUP on both machines, I still cannot SSH without being asked for a password. :( Surely this must be something in my SSHD configuration on 192.168.1.2 (or at least so I think). The question(s): -Does anyone know how to properly achieve this, without opening up the fall-back machine to the outside world (it is OK if it's open to 192.168.1.1)? -Does anyone see anything wrong in the below (partially) listed sshd_config options? Additional info: I fiddled around somewhat with /etc/ssh/sshd_config on 192.168.168.2, and I tried various combinations of allowing disallowing the below (all to no avail): PermitRootLogin yes AllowUsers root@192.168.1.1 olaf RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys Are these the only options that should be manipulated for this, and if so, how? Or should I also change some of the below (or other) sshd-config settings? #StrictModes yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable PAM authentication #ChallengeResponseAuthentication yes # rhosts authentication should not be used #RhostsAuthentication no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no Thanks in advance, and cheers! Olafo