From owner-freebsd-questions@FreeBSD.ORG Sat May 30 22:58:05 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F298C106564A for ; Sat, 30 May 2009 22:58:05 +0000 (UTC) (envelope-from vogelke@hcst.com) Received: from beta.hcst.com (beta.hcst.com [192.52.183.241]) by mx1.freebsd.org (Postfix) with ESMTP id B59A78FC08 for ; Sat, 30 May 2009 22:58:05 +0000 (UTC) (envelope-from vogelke@hcst.com) Received: from beta.hcst.com (localhost [127.0.0.1]) by beta.hcst.com (8.13.8/8.13.8/Debian-3) with ESMTP id n4UMw45H015669 for ; Sat, 30 May 2009 18:58:04 -0400 Received: (from vogelke@localhost) by beta.hcst.com (8.13.8/8.13.8/Submit) id n4UMw4Gi015668; Sat, 30 May 2009 18:58:04 -0400 Received: by kev.msw.wpafb.af.mil (Postfix, from userid 32768) id 9F22EBECA; Sat, 30 May 2009 18:56:34 -0400 (EDT) To: freebsd-questions@freebsd.org In-reply-to: <20090527150330.448cdd7a@gom> (message from prad on Wed, 27 May 2009 15:03:30 -0700) Organization: Oasis Systems Inc. X-Disclaimer: I don't speak for the USAF or Oasis. X-GPG-ID: 1024D/711752A0 2006-06-27 Karl Vogel X-GPG-Fingerprint: 56EB 6DBF 4224 C953 F417 CC99 4C7C 7D46 7117 52A0 Message-Id: <20090530225634.9F22EBECA@kev.msw.wpafb.af.mil> Date: Sat, 30 May 2009 18:56:34 -0400 (EDT) From: vogelke+unix@pobox.com (Karl Vogel) Subject: Re: rsync approach X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vogelke+unix@pobox.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 May 2009 22:58:06 -0000 >> On Wed, 27 May 2009 15:03:30 -0700, >> prad said: P> We are thinking of rsync to duplicate 1st [box] > 2nd [box] (with the P> exception of rc.conf and a few other files of course because we don't P> want them to be absolutely identical). P> we plan to allow root login and have disabled all password access so P> that rsync can preserve permissions. is this a good way to accomplish P> the bkp job? If you're going to use root login, I'd suggest access control for ssh via either daemontools or tcpwrappers, and add some extra security by putting 'from="hostname"' in root's entry in the "authorized_keys2" file: from="1st.box.com" ssh-dss AAAAB3NzaC1MtH[...]WDXDrq03pE= root@1st.box.com It's not strictly necessary to allow root connections if you want to keep permissions intact. I use an unprivileged account ("bkup") to copy gzipped cpio archives between systems. On the 1st box, root can use pax or cpio to create the archive, and then run something as user "bkup" to do the copy to the 2nd box: root# cd /some/where root# find . -print | pax -x cpio -wd | gzip -1c > /tmp/arch.pax.gz root# su bkup -c "scp -c arcfour -i /bkup/.ssh/backuphost_dsa \ /tmp/arch.pax.gz 2nd.box.com:/someplace/bkup/can/write" The arcfour cipher will probably give you better throughput. To unpack the files on 2nd.box.com: root# cd /some/where/else root# gunzip -c /someplace/bkup/can/write/arch.pax.gz | pax -rd -pe root# rm /someplace/bkup/can/write/arch.pax.gz If the files you're syncing are huge, you're better off using root login plus rsync. -- Karl Vogel I don't speak for the USAF or my company SUVs are gross because they're the solution to a gross problem: how to make minivans look more masculine. --Paul Graham