First, the command tar cf - ... works okay, but it does not perform any compression. If the files to be backed up are very compressible, then it makes sense to compress the archive file. You should do this on the server to be backed up to save network bandwidth. This can be done by adding a “pipe” to a compression program:
gzip -c - uses the GZIP program to compress an incoming stream of bytes (from the tar program) before sending out the compressed stream.
Also, note that change to the last tar command (to be run on the backup server itself). The extra letter z tells tar to decompress the incoming stream using gunzip.
For better security, you should look into the “Match block” concept of the SSH server configuration file on the server to be backed up. This can be used to help protect the account with sudo ability. Use man sshd_config to learn a little more about this feature, particularly the use of PermitOpen, PasswordAuthentication and the “Address” matching criteria.
Once you set up public-key authentication, you can also consider running the following command as root on the server to be backed up:
This command “locks” the user oneilj. This means that there will be no password based authentication by any means: SSH, local console and etc. This means that unless someone has the private SSH key of crichtonj on the backup server, password cracking methods do not work.