<quote who="Patrick Hsieh"> > OK. My problem is, if I use rsync+ssh with blank passphrase among servers > to automate rsync+ssh backup procedure without password prompt, then the > cracker will not need to send any password as well as passphrase when ssh > login onto another server, right?
No, password and rsa/dsa authentication are different authentication mechanisms. > Is there a good way to automate rsync+ssh procedure without > password/passphrase prompt, while password/passphrase is still requierd > when someone attempts to ssh login? 1) Use a minimally-privileged account for the rsync process, disable the password on this account, so it cannot be used to login. 2) Generate a passphrase-less ssh key with ssh_keygen. 3) Add this to authorized_keys for the above account, specifying the command that logins with this key are allowed to run. See command="" in sshd(1). Thus, no one can actually log in with the account normally, you can only connect with the rsa/dsa key, and you can only run a particular process. ssh-agent doesn't really help you in this instance, it's generally used to provide single passphrase authentication for a user's session. (I use it to log in to the ~30-40 machines I have my public key on, without typing passwords every five minutes.) - Jeff -- "jwz? no way man, he's my idle" - James Wilkinson