CIQ

How to Skip rsync Passwords with sshpass in Backup Scripts

How to Skip rsync Passwords with sshpass in Backup Scripts
The CIQ TeamMay 28, 2024

At some point in your Rocky Linux career, you'll want to create a script for simple data backups from a local client to a remote machine. When that time comes, you'll want to not only automate that process but do so without having to reveal (or type in) your SSH password along the way.

One of the best ways to accomplish this is with a combination of rysnc, sshpass, and gpg. The sshpass application is used as a non-interactive password provider that's quite handy for shell scripts. Of course, rsync is the de facto standard Linux command line backup/sync tool and gpg is a popular command line encryption tool. With these three things, you have the makings for a secure backup shell script.

What you'll need

Start with a running instance of Rocky Linux and a second Linux machine to host the backup files. It doesn't matter what version of Linux powers the second machine, as long as it has an OpenSSH server running and a directory to house the backups. For our example, we'll back up the ~/Documents directory on Rocky Linux and house the backup on the ~/Public folder on the remote machine.

You'll also need a user with sudo privileges on the Rocky Linux machine.

How to install sshpass on Rocky Linux

The sshpass application can be found in the standard Rocky Linux repositories, so the installation can be taken care of with the command:

sudo dnf install sshpass -y

When that completes, you're ready to create your shell script.

Creating the backup script on Rocky Linux

Before we get into how sshpass works, let's see how the backup script would work without it. Create and open a file called backups.sh, and then paste the following:

#!/bin/bash

rsync -av Documents USER1@IP:/home/USER2/Public/backups

Where USER1 is the username on the remote machine, USER2 is the local (Rocky Linux) username, and IP is the IP address of the remote machine.

Save and close the file.

Give the file executable permissions with the command:

chmod u+x backups.sh

Run the command with:

./backups.sh

You'll be prompted for the remote user's password. Upon successful authentication, the backup will succeed.

That's great. But it still requires manual intervention. So how do we avoid having to type the password?

Skipping password entry in your backup script

We’re going to skip manual password entry by storing and encrypting an SSH password. First, create and open a hidden file called .secret.In that file, type the remote user’s SSH password. Once you've done that, save and close the file.

Next, we'll encrypt the .secret file so it can't be easily read by anyone:

gpg -c ~/.secret

When prompted, type and verify a strong encryption password. (Note: This will be a different password than the remote user’s password. You’ll use this password later to decrypt the password.)

Now, we can update the bash script to make use of sshpass. Open the backups.sh and update the script:

#!/bin/bash

gpg -dq /home/USER1/.secret.gpg | sshpass rsync -av Documents USER2@IP:/home/USER2/Backup

Reminder: USER1 is the remote username, USER2 is the local (Rocky Linux) username, and IP is the IP address of the remote machine.

The second line in the script decrypts the .secret.gpg file and sends the output of that command to sshpass, which sends the password for the remote user.

Save and close the file. Run the backup with the command:

./backup.sh

You will then be prompted for the decryption password and not your SSH password, thereby avoiding the possibility of revealing your SSH password to anyone. Although you'll be required to type your GPG decryption password the first time, you'll be able to run the script successively without having to do so.

It’s not a perfectly secure backup solution, but it does show you how to get creative with bash scripts and a few extra applications.

Hopefully you found that useful and you learned something. If you have ideas for more tips and tricks, or questions about automating workflows in Rocky Linux, let us know at info@ciq.com.

Related posts

2023 Holiday Gift Guide for Rocky Linux Users

2023 Holiday Gift Guide for Rocky Linux Users

Dec 19, 2023

Rocky Linux

Why Rocky Linux Is a Rock-Solid Choice in an Economic Downturn

Why Rocky Linux Is a Rock-Solid Choice in an Economic Downturn

Jan 18, 2023

Rocky Linux

6 Signs That It's Time to Move to Rocky Linux

6 Signs That It's Time to Move to Rocky Linux

Feb 23, 2023

Rocky Linux

123
38
>>>