Home / server / Questions / 400328
Accepted
bMon
Asked: 2012-06-20 14:13:55 +0800 CST

Download files from server while logged in via ssh

  • 772

I have root ssh logins disabled on my server, but I currently want to back up some files owned by root onto my my local box.

I am trying to figure out a way to use SCP to retrieve files while logged in via SSH without running a ssh daemon on my local box - and without installing any additional tools.

Just wondering if this is possible? I don't think it is..

The only method I can think of is to run a script that logs in via a user account then su's to root, then copies -- but I am trying to avoid this because I don't wish to hardcode my root pw into a script file on my local machine.

linux ssh scp centos5

2 Answers

  1. Best Answer

    You can do what you want with a combination of rsync, ssh, and sudo.

    If you add a local user to your machine "privileged" you can then allow that user to run rsync via sudo. Which will allow you to remotely fetch files only readable by root to your local system.

    #
# Our backup client needs to rsync in a privileged manner.
#
privileged  ALL  = NOPASSWD: /usr/bin/rsync

    Once you have that in place you can run something like this to fetch files:

    rsync --rsync-path="sudo rsync" [email protected]:/root /backup_directory
    • 1

  2. Enable root login on the server, but restrict them to passkey only. Set up a key pair on your local box, put the public key in root's authorized_keys file on the server and off you go.

    This is 99.9999% as secure as not allowing root logins, as long as you protect the keypair from theft.

    If you set up a complex pass phrase on the key, then you'll need to be present to run the backups, or use ssh-agent or something similar. Or, you could just not put a pass phrase on the key and you now have magic, passwordless access to your server via root. Obviously, in that instance theft of the private key is a more serious issue, so you need to understand those risks and either mitigate them, or use a strong pass phrase.

    I know this isn't quite what you asked for, but honestly, passkey protected root logins are safe (with the caveat that you should keep up-to-date on sshd patches).

    Any other option that allows any user ID enough permissions on the target server to be root, without putting them behind a passkey protected ssh login is actually less secure, than just allowing root via passkey only.

    If your local workstation has a predictable IP address you can make this even more secure using the AllowUsers option.

    e.g.

    AllowUsers [email protected]

    • 0