The major problem with your approach is the PASSWORD is stored in clear text on your disk. Instead of using a password, I use SSH-keys. It works like this:
Create a ssh key
ssh-kegenStore the key in the server's authorized key
ssh-copy-id <user@server>This step adds the content of
~/.ssh/id_rsa.pub(the public key) to the~/.ssh/authorized_keysfile on the server. This file is used by the server to verify if the user is allowed to login (only if he has the corresponding private key)Login
SSH automates the whole process with keyesxchange and stuff so that you only need to do
ssh <user@server>If everything is setup properly you don't even need to provide a password.
Have fun!
Yeah, I think, though, what's the damn difference anyway? If someone gains control of my user account on my machine, does it actually matter if they have the password or SSH cert for the root of my backup server? The result is the same.
It was just quicker for me to do it with a password. I don't have to remember it either, it's in my scripts. Good to remind me though, it should really be set to 700 mode. I am pretty sure they are though.
btw, i think it's ssh-keygen , just a little typo. I don't think you get grammar nazi status in IT for typo correcting ;)
As @l0k1 pointed out, simply using keys doesn't make much difference. But what you can do to improve the security of the server, is restricting the commands that can be run. You can do this by using the option
command="..."in theauthorized_keysfile. Then, for each command you create a separate key. The man pagesshd(8)has some information on this in the section "AUTHORIZED_KEYS FILE FORMAT".