In our last part, we used
rsync to connect to a remote server to perform incremental backups. The problem is that we really want this to be automatic. Scheduling when a backup occurs is actually fairly simple. What is more work is performing automatic authentication so our backup can occur without user intervention.
Authentication using an SSH key
We’ll be using an SSH key to authenticate ourselves with Strongspace (or any other
rsync server for that matter). Thanks have to go to Jens-Christian Fischer’s post on his own backup solution, which helped get me started. To start with, open a terminal and enter the following command:
$ ssh-keygen -t dsa -b 1024
Leave the key location unchanged, but enter a passphrase. You can choose not to enter a passphrase (and this will simplify things) however this is pretty insecure. If anyone gets hold of your key they’ll be able to access your Strongspace files without the need for a password.
Now we’ve generated our key, we can use it to authenticate ourselves when connecting to the remote server. The server we’re connecting to needs a copy of our public key:
$ cp ~/.ssh/id_dsa.pub authorized_keys
Log into Strongspace via the web interface, create a directory called
.ssh and copy the
authorized_keys file into this directory. To test this, run the
rsync command we created in part one:
$ rsync -azvL /Users/johnsmith/backup email@example.com:/home/johnsmith/backups/mac
This time, rather than the Strongpsace server asking you for your password, you’ll get prompted for your key’s passphrase.
So at this point you must be thinking “Well, what was the point of that – you’ve replaced the need to enter the password for the remote server, with the need to enter a passphrase for your key!” – and you’d be right. What we need is some kind of software that can be used to automatically handle unlocking our key.
SSHKeychain is an OSX specific SSH key management tool. When using tools like
ssh, SSHKeychain can automatically lookup your passphrase. Download and install the tool, then start it up. Open the
Preferences pane, select the
Environment tab and enable
Manage global environment variables – this will allow other applications to use the keys managed by SSHKeychain. Check the
keys tab and ensure your key (
~/.ssh/id_dsa) is visible. Finally select
Agent/Key Status from the
Agent menu, enter your passphrase for your key, and enable the option to add the passphrase to your keychain – this means that when you log on, SSHKeychain will automatically have access to your SSH key’s passphrase. So long as you’re logged on you’ll have no need to type it in again.
For SSHKeychain to start managing your key, you’ll need to log off and back on, but before you do it’s a good idea to add SSHKeychain to your startup items so you don’t have to remember to start it up every time.
Once you’ve logged off and back on, SSHKeychain will be silently managing your keys. The first time you use an application like
rsync, SSHKeychain will look in your OSX Keychain, locate the passphrase for your key and automatically authenticate you. Note that you will need to be logged in for this to work, as SSHKeychain needs to be running, and your OSX Keychain needs to be unlocked.
To test this, after logging back in run our
rsync command again – this time you shouldn’t be prompted for any password.
In part three we’ll complete our backup solution by creating an automated backup script.
3 Responses to “Trouble free backups, Part Two – SSH Keys for trouble free authentication”
Thanks, Sam! SSHKeyChain was exactly what I needed to set up my ssh tunnels and made using Unison on a cron job much simpler. By the way, cron isn’t dead, it’s just sleeping. 🙂
By the way, you should look at Unison too. It’s what I’m using for backups and synchronization, but as I haven’t used rsync in a long time, I don’t know exactly what the differences are.
I looked at Unison – the main reason I went with rsync was because “Strongspace”:http://www.strongspace.com/ better supports rsync (they do mention support for Unison, but information on using it seems a little light). I did also hear that active development had ceased on Unison, although that might just reflect the fact that the tool already does what it needs to. The one thing in rsync’s favour is that it at least ships out of the box with most *NIX distros and even cygwin.
I’ve been trying to follow this guide, but I am unable to login without being asked for my key’s password… any ideas on how to make SSHKeychain manage the keys? One things I did notice is that nothing shows up referencing the created keys anywhere in the GUI for SSHKeychain…
Looking forward to hearing from you and thanks for the tutorial!