Sam Newman's site, a Consultant at ThoughtWorks

In our last part, we used rsync to connect to a remote server to perform incremental backups. The problem is that we really want this to be automatic. Scheduling when a backup occurs is actually fairly simple. What is more work is performing automatic authentication so our backup can occur without user intervention.

Authentication using an SSH key

We’ll be using an SSH key to authenticate ourselves with Strongspace (or any other rsync server for that matter). Thanks have to go to Jens-Christian Fischer’s post on his own backup solution, which helped get me started. To start with, open a terminal and enter the following command:


$ ssh-keygen -t dsa -b 1024

Leave the key location unchanged, but enter a passphrase. You can choose not to enter a passphrase (and this will simplify things) however this is pretty insecure. If anyone gets hold of your key they’ll be able to access your Strongspace files without the need for a password.

Now we’ve generated our key, we can use it to authenticate ourselves when connecting to the remote server. The server we’re connecting to needs a copy of our public key:

$ cp ~/.ssh/ authorized_keys

Log into Strongspace via the web interface, create a directory called .ssh and copy the authorized_keys file into this directory. To test this, run the rsync command we created in part one:


$ rsync -azvL /Users/johnsmith/backup

This time, rather than the Strongpsace server asking you for your password, you’ll get prompted for your key’s passphrase.


So at this point you must be thinking “Well, what was the point of that – you’ve replaced the need to enter the password for the remote server, with the need to enter a passphrase for your key!” – and you’d be right. What we need is some kind of software that can be used to automatically handle unlocking our key.

SSHKeychain is an OSX specific SSH key management tool. When using tools like rsync or ssh, SSHKeychain can automatically lookup your passphrase. Download and install the tool, then start it up. Open the Preferences pane, select the Environment tab and enable Manage global environment variables – this will allow other applications to use the keys managed by SSHKeychain. Check the keys tab and ensure your key (~/.ssh/id_dsa) is visible. Finally select Agent/Key Status from the Agent menu, enter your passphrase for your key, and enable the option to add the passphrase to your keychain – this means that when you log on, SSHKeychain will automatically have access to your SSH key’s passphrase. So long as you’re logged on you’ll have no need to type it in again.

For SSHKeychain to start managing your key, you’ll need to log off and back on, but before you do it’s a good idea to add SSHKeychain to your startup items so you don’t have to remember to start it up every time.

Once you’ve logged off and back on, SSHKeychain will be silently managing your keys. The first time you use an application like ssh or rsync, SSHKeychain will look in your OSX Keychain, locate the passphrase for your key and automatically authenticate you. Note that you will need to be logged in for this to work, as SSHKeychain needs to be running, and your OSX Keychain needs to be unlocked.

To test this, after logging back in run our rsync command again – this time you shouldn’t be prompted for any password.

In part three we’ll complete our backup solution by creating an automated backup script.

3 Responses to “Trouble free backups, Part Two – SSH Keys for trouble free authentication”

  1. Carlos Villela

    Thanks, Sam! SSHKeyChain was exactly what I needed to set up my ssh tunnels and made using Unison on a cron job much simpler. By the way, cron isn’t dead, it’s just sleeping. 🙂

    By the way, you should look at Unison too. It’s what I’m using for backups and synchronization, but as I haven’t used rsync in a long time, I don’t know exactly what the differences are.

  2. Sam Newman

    I looked at Unison – the main reason I went with rsync was because “Strongspace”: better supports rsync (they do mention support for Unison, but information on using it seems a little light). I did also hear that active development had ceased on Unison, although that might just reflect the fact that the tool already does what it needs to. The one thing in rsync’s favour is that it at least ships out of the box with most *NIX distros and even cygwin.

  3. nsidney


    I’ve been trying to follow this guide, but I am unable to login without being asked for my key’s password… any ideas on how to make SSHKeychain manage the keys? One things I did notice is that nothing shows up referencing the created keys anywhere in the GUI for SSHKeychain…

    Looking forward to hearing from you and thanks for the tutorial!


Leave a Reply to Carlos Villela Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Basic HTML is allowed. Your email address will not be published.

Subscribe to this comment feed via RSS

%d bloggers like this: