Kenneth L. Owen wrote:
> Back in October, I was a Linux newbie struggling to get BackupPC to work
> and was successful in a very short time with the great support I got
> here (Ref:  Almost Working).  Since then, I’ve monitored the system
> operation and performed two restore tests, one from a full backup and
> one mid-stream off of the incremental files.  The total byte count was
> about 75 GBytes with a perfect score by comparison of every single
> byte.  The BackupPC system works GREAT!
> Since the testing, I’ve moved on to another issue that was brought to my
> attention during the work to get BackupPC working:  /_Fedora was
> probably not the best distribution of Linux to run a server function_./ 
> While working with other distro’s, I goofed and trashed my perfectly
> running system.  I have rebuilt it up to the point of installing my
> ssh-keys for rsync.  In as far as I know, I’m doing the same thing as
> before when it worked out just fine.  This time, it all looks good
> during the setup, but ‘backuppc’ user is not getting ‘root’ authority
> when tested.  I’ve tried several times, consistently getting the same
> result.  I am hoping that someone will see where this somewhat less of a
> newbie is messing up.  All comments are welcome.  -- ken
> Below is a transcript of the last session:
> Starting on my Windows-server, I removed previous setup from /root/.ssh:
> [EMAIL PROTECTED] .ssh]# rm -f *
> [EMAIL PROTECTED] .ssh]# ls -al
> total 16
> drwx------  2 root root 4096 2008-11-29 16:50 .
> drwxr-x--- 27 root root 4096 2008-11-29 16:22 ..
> Next, I generated a key-pair on the Windows-server:
> [EMAIL PROTECTED] .ssh]# ssh-keygen -t rsa
> Generating public/private rsa key pair.
> Enter file in which to save the key (/root/.ssh/id_rsa):
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
> Your identification has been saved in /root/.ssh/id_rsa.
> Your public key has been saved in /root/.ssh/
> The key fingerprint is:
> fe:a0: … :7b:9e [EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]>  ç Ref at end
[EMAIL PROTECTED] does not need a keypair unless [EMAIL PROTECTED] is going to
log in remotely via ssh to another machine.

> I verified the archiving host was listed in /etc/hosts:
> [EMAIL PROTECTED] .ssh]# cat /etc/hosts
> # Do not remove the following line, or various programs
> # that require network functionality will fail.
>       WinServer.localdomain   WinServer       WinServer
> ::1             localhost6.localdomain6 localhost6
>   Archiver.localdomain    Archiver    <<<==== this is it
> On the archiver, I removed the old configuration from
> /var/lib/BackupPC/.ssh,
> changed to user 'backuppc' on /var/lib/BackupPC and created a key-pair:
> [EMAIL PROTECTED] .ssh]# rm -f *
> [EMAIL PROTECTED] .ssh]# ls -al
> total 16
> drwx------ 2 backuppc root 4096 2008-11-29 16:53 .
> drwxr-x--- 8 backuppc root 4096 2008-11-26 21:26 ..
> [EMAIL PROTECTED] .ssh]# su -s /bin/bash - backuppc
> -bash-3.2$ whoami
> backuppc
> -bash-3.2$ ssh-keygen -t rsa
> Generating public/private rsa key pair.
> Enter file in which to save the key (/var/lib/BackupPC/.ssh/id_rsa):
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
> Your identification has been saved in /var/lib/BackupPC/.ssh/id_rsa.
> Your public key has been saved in /var/lib/BackupPC/.ssh/
> The key fingerprint is:  34:e2: … :e8:73 [EMAIL PROTECTED]
> -bash-3.2$ cp ./.ssh/ ./.ssh/
> -bash-3.2$ ls ./.ssh
>  id_rsa
> -bash-3.2$ scp ./.ssh/ [EMAIL PROTECTED]:/root/.ssh/
> The authenticity of host ' (' can't be
> established.
> RSA key fingerprint is 57:e6: … :7a:c6.
FYI, you do not need to conceal fingerprints.  It is the fingerprint of
a *public* key, and it doesn't hurt anything if everybody can see it.

> Are you sure you want to continue connecting (yes/no)? yes
> Warning: Permanently added '' (RSA) to the list of known hosts.
> [EMAIL PROTECTED]'s password:
>   100%  411     0.4KB/s   00:00   
> -bash-3.2$
> Back on the Windows-server, I added to authorized_keys2:
> [EMAIL PROTECTED] .ssh]# ls -al
> total 40
> drwx------  2 root root 4096 2008-11-29 16:53 .
> drwxr-x--- 27 root root 4096 2008-11-29 16:22 ..
> -rw-r--r--  1 root root  411 2008-11-29 16:53
> -rw-------  1 root root 1675 2008-11-29 16:50 id_rsa
> -rw-r--r--  1 root root  408 2008-11-29 16:50
> [EMAIL PROTECTED] .ssh]# cat >> authorized_keys2
> Edited Authorized_keys2 to add 'from="Archiver.localdomain"':
> [EMAIL PROTECTED] .ssh]# cat authorized_keys2
> from="Archiver.localdomain" ssh-rsa AAAA … more stuff … GnuNXOxYw==
> Sent to archiver:
This whole section is not needed for BackupPC.  What you've done here is
allowed [EMAIL PROTECTED] to log in as [EMAIL PROTECTED], and I don't
think that's what you meant to do.

> [EMAIL PROTECTED] .ssh]# scp
> [EMAIL PROTECTED]:/var/lib/BackupPC/.ssh/
> The authenticity of host ' (' can't be
> established.
> RSA key fingerprint is 01:a8:0d:1e: … :aa:10.
> Are you sure you want to continue connecting (yes/no)? yes
> Warning: Permanently added '' (RSA) to the list of known hosts.
> [EMAIL PROTECTED]'s password:
>   100%  408     0.4KB/s   00:00   
> Now, on archiver:
> -bash-3.2$ cat ./.ssh/ >> ./.ssh/known_hosts
> -bash-3.2$ ls ./.ssh
>  id_rsa  known_hosts
> -bash-3.2$ rm ./.ssh/
> rm: remove write-protected regular file `./.ssh/'? y
> -bash-3.2$ ls ./.ssh -al
> total 48
> drwx------ 2 backuppc root     4096 2008-11-29 17:08 .
> drwxr-x--- 8 backuppc root     4096 2008-11-26 21:26 ..
> -rw-r--r-- 1 backuppc backuppc  411 2008-11-29 16:56
> -rw------- 1 backuppc backuppc 1671 2008-11-29 16:55 id_rsa
> -rw-r--r-- 1 backuppc backuppc  411 2008-11-29 16:55
> -rw-r--r-- 1 backuppc backuppc  803 2008-11-29 17:07 known_hosts
> -bash-3.2$ chmod -R go-rwx ./.ssh
> -bash-3.2$ ls ./.ssh -al
> total 48
> drwx------ 2 backuppc root     4096 2008-11-29 17:08 .
> drwxr-x--- 8 backuppc root     4096 2008-11-26 21:26 ..
> -rw------- 1 backuppc backuppc  411 2008-11-29 16:56
> -rw------- 1 backuppc backuppc 1671 2008-11-29 16:55 id_rsa
> -rw------- 1 backuppc backuppc  411 2008-11-29 16:55
> -rw------- 1 backuppc backuppc  803 2008-11-29 17:07 known_hosts
> ... and do same chmod on Windows-server:
> [EMAIL PROTECTED] .ssh]# chmod -R go-rwx .
> [EMAIL PROTECTED] .ssh]# ls -al
> total 64
> drwx------  2 root root 4096 2008-11-29 17:00 .
> drwxr-x--- 27 root root 4096 2008-11-29 16:58 ..
> -rw-------  1 root root  439 2008-11-29 16:58 authorized_keys2
> -rw-------  1 root root  411 2008-11-29 16:55 authorized_keys2~
> -rw-------  1 root root  411 2008-11-29 16:53
> -rw-------  1 root root 1675 2008-11-29 16:50 id_rsa
> -rw-------  1 root root  408 2008-11-29 16:50
> -rw-------  1 root root  395 2008-11-29 17:00 known_hosts
> Should be done all but the final TEST:
> -bash-3.2$ ssh -l root WinServer whoami
> The authenticity of host 'WinServer (' can't be established.
> RSA key fingerprint is 57:e6: … :7a:c6.   ç Should this be the same as
> when created in step one?
Yes, because it is the fingerprint of the server (it is not
user-specific).  FYI, the RSA key it is referencing is in /etc/ssh/
(it's probably called

The first time you were asked this question, you were scp'ing as root.
Now you are ssh'ing as a different user.  That is why you're being asked
the question again.  Each user gets the opportunity to accept or reject
the validity of a server's public key (by verifying that the fingerprint
is correct).  This information is recorded in the user's
~/.ssh/known_hosts file.


> Are you sure you want to continue connecting (yes/no)? ^C  <<<===
> -bash-3.2$

