On Fri 19 August 2011 12:58:10 Grant did opine thusly: > >> Is the purpose of the Host block in .ssh/config to store the > >> hostname of the backup server so it doesn't need to be used > >> directly in the rdiff-backup command? > > > > It forces key-based authentication when connecting to the backup > > server. The default is password-based, which obviously won't > > work in a cron job. > I don't use an .ssh/config at all and I'm not prompted for a > password if the keys are in place. My sshd_config is pretty much > default and my normal user is prompted for a password.
sshd can use various schemes for user authentication. The overall process is: user connects user is authenticated somehow user's shell is launched The middle step is highly variable. sshd can do all of it itself using only keys, or it could be happy with password authentication, it can even use PAM and obey whatever yes/no result PAM comes back with. sshd runs as root (therefore with access to /etc/shadow) so it could even validate passwords itself if it wanted, bypassing login and PAM entirely. This is of course a silly idea, but still technically feasible. . .ssh/config is only useful when the user desires options different from the global defaults in /etc/ssh/sshd_config, or wants to do extra actions for specific destination hosts > > >> Why create a password for the backup user? Doesn't that open > >> up the possibility of someone logging in as that user, when > >> otherwise the account would only be used for backing up > >> files? > > > > It might work without one; in these instructions the > > machine-to-be-backed-up never connects to the backup server as > > root, and so you need a way to SCP stuff to the backup server. > > I usually use a `pwgen 16` password for these accounts and then > > immediately forget it, so nobody will log in to them for a few > > billion years at least. > > > > Does key-based authentication work with no password? I've never > > tried. > It does! :) > > - Grant -- alan dot mckinnon at gmail dot com
