I have 6 devices that i rsync to a central location to back them up. Ive been using ssh as the -e option. Problem is i use public key with passphrases, meaning to backup all six i need to go to each device and run the backup script. Since i typically backup /etc, /home, and /root this means entering sudo and the ssh passphrase 3x for each device.
I would much prefer a script that runs on back storage device that can pull the data from each device without having to use ssh (encryption is not necessary since all traffic is either local or going through a vpn connection).
I could then put this script in root's crontab or make it a systemd service running as root.
But i dont know how i can remote sync without ssh
From my understanding, the issue is you can't run them as background script because it is promoting you for the passphrase of the ssh key?
The easiest way to solve this is to use a ssh key that has no passphrase. Yes it's possible and it won't prompt you for it. Whenever you create a key, it asks you to enter a passphrase. If you hit enter without entering anything, there's no passphrase.
But if you just don't want ssh at all, you can use rsync daemon. Someone else mentioned it here. It's not as hard as they said, especially if you're in a local network where you're fine without encryption.
rsync with open SSH certificates is secure without prompting for any password at all
tbh why not jsut set them up with an ssh key that doesn't have an associated passphrase? Besides that, if you don't care about encrypting like you say, then you could replace all calls to ssh with telnet.
At least that's my immediate thoughts.
Because i don't like have passphraseless keys on my devices, i may just be being paranoid.
You can create a key pair that is specifically just for this kind of backup transaction.
To limit its affects, create a user and group on each of the devices that are highly restricted.
This is actually the most secure solution that doesn't require an interactive password prompt. The passwordless key only serves this one purpose and has small attack surface.
Look into ssh agent. It's a program that runs in the background and "caches" ssh keys after you unlock them once.
I have tried but it doesn't really work in the script. You load the key into the agent but it still asks for the passphrase
Maybe these will help:
- https://superuser.com/questions/1752313/starting-ssh-agent-from-a-script-for-use-in-multiple-scripts-invoked-by-git
- https://www.ssh.com/academy/ssh/agent
You could rsync with directories shared on the local network, like a samba share or similar. It's a bit slower than ssh but for regular incremental backups you probably won't notice any difference, especially when it's supposed to run in the background on a schedule.
Alternatively use a non-password protected ssh key, as already suggested.
You can also write rsync commands or at least a shell script that copies all of your desired directories with one command rather than one per file.
I am also going to recommend the same solution as @matcha_addict@lemy.lol in this comment: https://lemmy.ml/comment/7998407
You can create a key pair that is specifically just for this kind of backup transaction.
To limit its affects, create a user and group on each of the devices that are highly restricted.
This is actually the most secure solution that doesn’t require an interactive password prompt. The passwordless key only serves this one purpose and has small attack surface.
Basically, you can tell SSH to allow root login on certain devices by setting up a root key pair. You configure SSH on the target device such that when it logs in, the login must run a script or a single command instead of running a shell, this limits what attackers can do if they somehow steal your private keys. You can also keep these private keys in your SSH agent so you only have to enter their passwords once, this will allow you to run remote commands without a password.
I would recommend also exploring the possibility of setting up an Rsync Daemon on each remote device, it keeps an Rsync process running on a remote device and listens for connections from Rsync clients. https://linuxconfig.org/how-to-setup-the-rsync-daemon-on-linux
On an unrelated topic: you might also want to look into using Btrfs and making and transferring snapshots to other devices.
I have decided to use rrsync to do this.
Im using btrfs on the back drive but using ext4 on the remote devices. Wont the snapshots, if sent to a remote device be the same size as the original data?
I guess the Btrfs snapshopt approach is not possible for your setup since the devices you want to backup are not Btrfs and cannot create snapshots.
Yes, the snapshots will be the size of the whole partition, I had not thought about that problem. I do not know if it is possible to create incremental snapshots with Btrfs.
I've tried it before but i want a situation where i dont need to use the ssh agent. I think i'm gonna go with using rrsync
