Toni Van Remortel wrote:
This is how I add a ssh-based client to my backup system: * On the backup server, the user backuppc generates a ssh-key (ssh-keygen -t rsa -f clientname) inside .ssh of the backuppc home directory. Passphrase is empty. * On the backup server, the file .ssh/config belonging to the backuppc user is updated with some needed info for the client (user to connect, ssh-key to use, port to use, ...) * The key is copied to the client (ssh-copyid -i clientname.pub client.domain.com) This action will ask if you trust this host. Answer 'yes' to add it to the know_hosts list.Finished. The user 'backuppc' has now root access to the client throughSSH. Setting up BackupPC is now the most easy part: use rsync, set the clients directories to backup. Done. Why do I use a separate key for every client? Security! If someone can get 1 private key from my backup server, he/she can only connect to 1 client instead of all my clients (70 at this moment). Yes it is a bit more work, but security is always more work.
I don't really see how using 70 keys is more secure than using one in this case. Aren't all 70 passphrase-less private keys available in the same location? If someone hacks his way to your backuppc user then he can access all of your servers, regardless of whether you use 70 keys or just one. It's probably more secure to limit what your backuppc user can execute on your clients (using sudo to only allow the execution of /usr/bin/rsync with the flags you use for backup and restore).
Nils Breunese.
PGP.sig
Description: Dit deel van het bericht is digitaal ondertekend
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ BackupPC-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/backuppc-users http://backuppc.sourceforge.net/
