Tuesday, March 25. 2008
Using Unison to sync files between linux hosts
I've been using rsync over ssh to copy changed files from one linux host to a backup. This works fine for moving files in one direction, but not to synchronize files that may be changed on either host. It also required that I be logged on so my ssh-agent would provide the password for the ssh connection. This prevented automated synchronization. So I wanted to find a solution that would:
- Allow me to make changes on either host
- Run automatically
- Maintain security
The solution was unison and a few tricks with OpenSSH public key authentication. More after the break....
- Allow me to make changes on either host
- Run automatically
- Maintain security
The solution was unison and a few tricks with OpenSSH public key authentication. More after the break....
Publickey authentication in OpenSSH works great for interactive logins, and using it in with Putty and PAgent make life for a Unix admin wonderful. But automated ssh connections are a different story, because opening up the private key requires a password.
The solution to the private key dilemma is, of course, to create your private key with no password. This is how ApacheSSL servers generally work, and the private key is carefully protected. But having a unprotected private key ANYWHERE that can be used to move to multiple hosts is dangerous.
So how do you automate your ssh connections? The secret is in realizing that you can maintain multiple identities (private keys) and use them for different purposes.
So to create an automated connection from hostA to hostB using ssh, do the following:
use ssh-keygen to create a new private/public key pair. Name it something other than the default. I named it .ssh/unison_key_rsa. Choose to create NO password for the file. (Don't worry, nothing trusts the key yet).
FOR TESTING ONLY:
copy and paste the ~userA/.ssh/unison_key_rsa.pub file and append it to the ~userB/.ssh/authorized_keys file on hostB.
test the file from hostA:
If it prompts you to add the host to known_hosts, do so. You should have a ssh connection to userB@hostB.
Now edit the .ssh/authorized_keys file on hostB and add the following to the beginning of the new public key:
This will prevent this key from being used for ANYTHING except running unison in server mode, and ONLY from hostA. Now test unison:
it should connect and run the unison command, synchronizing localdir with remotedir. If you try to just ssh to hostB using the new private key, it will run the unison server and allow no other connections:
Be sure your private keys and authorized_keys files are carefully protected. ssh generally won't work if the permissions are wrong, so that is a good check to be sure you are set up correctly.
The solution to the private key dilemma is, of course, to create your private key with no password. This is how ApacheSSL servers generally work, and the private key is carefully protected. But having a unprotected private key ANYWHERE that can be used to move to multiple hosts is dangerous.
So how do you automate your ssh connections? The secret is in realizing that you can maintain multiple identities (private keys) and use them for different purposes.
So to create an automated connection from hostA to hostB using ssh, do the following:
use ssh-keygen to create a new private/public key pair. Name it something other than the default. I named it .ssh/unison_key_rsa. Choose to create NO password for the file. (Don't worry, nothing trusts the key yet).
FOR TESTING ONLY:
copy and paste the ~userA/.ssh/unison_key_rsa.pub file and append it to the ~userB/.ssh/authorized_keys file on hostB.
test the file from hostA:
ssh -i .ssh/unison_key_rsa userb@hostBIf it prompts you to add the host to known_hosts, do so. You should have a ssh connection to userB@hostB.
Now edit the .ssh/authorized_keys file on hostB and add the following to the beginning of the new public key:
from="hostA",command="unison -server" ssh-rsa AAA..........This will prevent this key from being used for ANYTHING except running unison in server mode, and ONLY from hostA. Now test unison:
unison -batch -sshargs '-i .ssh/unison_key_rsa' -times localdir ssh://userB@hostB/remotedirit should connect and run the unison command, synchronizing localdir with remotedir. If you try to just ssh to hostB using the new private key, it will run the unison server and allow no other connections:
$ ssh -i .ssh/unison_key_rsa hostB
Unison 2.13
Be sure your private keys and authorized_keys files are carefully protected. ssh generally won't work if the permissions are wrong, so that is a good check to be sure you are set up correctly.
Trackbacks
Trackback specific URI for this entry
No Trackbacks