System admins often find themselves struggling to automate routine tasks due to security constraints. Of course, security is of utmost importance, especially in a corporate environment, but what about routine tasks that must be automated?
Is there a secure way of transmitting information encrypted across machines but without having to authenticate manually each time?
Fortunately, the answer is yes!
Built in to OS X (and BSD/*nix for that matter) there are tools that allow you to automate routine tasks, such as backing up files using native rsync. By default when using rsync over SSH you would need to supply credentials i.e.
rsync -avz -e ssh remoteuser@remotehost:/remote/dir /local/dir/
The first step requires manually adding the key (RSA fingerprint) into your keys (not keychain) located on ~/.ssh (hidden folder). This is necessary to ensure that communications between server and host are encrypted. Click here to understand how RSA works.
Once you accept the request you will be presented with a password prompt for the remote system.
Once you enter the password and press return the process automatically starts and you can trust that the connection is encrypted between the two systems. This does not prevent eavesdropping, but you can rest assured that the eavesdropper will only receive encrypted content that cannot be decrypted without the private key of the host initiating the connection.
NOTE: The remote and local hosts need to trust each other and you must ensure that the remote host you are connecting to is in fact who you expect it to be, as an attacker can impersonate the remote host (man in the middle attacks etc.). In other words, make sure you know what you are doing…
All of the above are great and secure methods, but what if you are a system admin looking to automate a routine sync task? You definitely wouldn’t want to be running the above command(s) every time you need a sync to run and having to enter passwords each and every time.
Luckily there is a way to bypass the password restriction without having complete insecure systems.
Yet another tool built in to OS X is ssh-keygen. This allows you to create RSA (or DSA) keypairs that you can use to encrypt communications between hosts. As with RSA the remote host will need to “know” the other hosts public key to be able to communicate and vice versa.
If you were to run:
ssh-keygen -t rsa –f ~/.ssh/id_rsa -P "pass" –C “Comment”
you can initiate a RSA keypair generation that will be save under current users .ssh folder with password “pass” (not strictly required).
This will generate two files. “id_rsa” and “id_rsa.pub” obviously “id_rsa.pub” being the public key.
In order for the key to be able to be used you must rename the id_rsa.pub file to authorized_keys.
This can be done by issuing this command:
mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
You will now need to copy that public key to the remote users .ssh folder and this can be done either by “sneakernet” or even better by SCP or any other remote file transfer tool. For SCP you can again use native built in tool SCP to perform the transfer securely.
scp ~/.ssh/authorized_keys remoteuser@remotehost:~/.ssh/authorized_keys
Your tasks are now complete. You can now use rsync over SSH (or SSH for that matter) without a request for a password again for that particular remote host.
All you need now is script the rsync commands and rest assured that you will not be required to manually enter a password for the remote host.
rsync -auzrlv -e ssh remoteuser@remotehost:/remote/dir /local/dir/
NOTE: rsync arguments may differ in each case and depend on your requirements so always have a look at manuals, man rsync
You should always ensure that your hosts are secured, as a malicious user with access to the initiating machine will be able to SSH into the remote host without a password!!
If you want to allow this on multiple remote hosts then you can append authorized_keys to include multiple keys. To do that simply run the keypair again use cat to append to original.
cat location/of/new/authorized_keys >> location/of/original/authorized_keys
It is always a good idea to have restrictions for the users to prevent unauthorized access to sensitive files, as would be the case if you were to use an administrative account on the remote host. You can restrict access using ACLs or POSIX permissions.