How to properly set-up an SSH tunnel on FreeBSD for automatic backups

Wed Nov 16 13:16:18 GMT 2005

Hi,

I'm trying to set-up an SSH tunnel between two FreeBSD machines, over a 
direct cross-wire connection between the two, and I'm having issues in 
doing so. The question(s) I have is/are probably not FreeBSD specific, 
but still I hope someone can answer it/them...

The situation:
I have two servers (one live, and one staging/fall-back server), and 
between the two of those I have set-up a local network. The live machine 
is 192.168.1.1 and the fall-back machine is 192.168.1.2. Now, I have 
already figured out how to synch the files using rsync, and in order to 
automatically down-synch the live MySQL database to the fall-back 
machine at specific times a day, I want to be able to run (from the live 
server) a script that performs commands like this one:
ssh 192.168.1.2 "mysqladmin -f drop $database"

The followed approach:
In order to be able to run this as root from a cron job, without having 
to type a password, I tried doing the following (which can be found all 
over the Internet).
-On 192.168.1.2: as root generate a (passphrase-less) public RSA key 
(i.e. ssh-keygen -t rsa), and in /etc/ssh/sshd_config add a line like 
AllowUsers root at 192.168.1.1 olaf
-On 192.168.1.2 I created the file ~/.ssh/authorized_keys and added the 
public key of 192.168.168.2 to it

The problem:
Even after doing a kill -s HUP <sshd pid> on both machines, I still 
cannot SSH without being asked for a password. :(
Surely this must be something in my SSHD configuration on 192.168.1.2 
(or at least so I think).

The question(s):
-Does anyone know how to properly achieve this, without opening up the 
fall-back machine to the outside world (it is OK if it's open to 
192.168.1.1)?
-Does anyone see anything wrong in the below (partially) listed 
sshd_config options?

Additional info:
I fiddled around somewhat with /etc/ssh/sshd_config on 192.168.168.2, 
and I tried various combinations of allowing disallowing the below (all 
to no avail):
PermitRootLogin yes
AllowUsers root at 192.168.1.1 olaf

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

Are these the only options that should be manipulated for this, and if 
so, how? Or should I also change some of the below (or other) 
sshd-config settings?

#StrictModes yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable PAM authentication
#ChallengeResponseAuthentication yes

# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no

Thanks in advance, and cheers!
Olafo