Sure, ken. Learn and share.
A few points to make your reading easier
* backuppc server needs to log to the client as root without the need of
human intervention (to insert a password, for example)
* That's why you now connect with ssh as root with empty password keys.
* empty password keys are not very secure, especialy for root user.
* the link I sent uses a different approach. You ssh as backuppc user and
then you sudo to do the backup - $Conf{RsyncClientCmd}. Your rsa keys for
backuppc user on both machines don't have password, but the root keys may
now have passwords.
* If you could sudo as backuppc to run any command, we will not have gain
much.
* Thats where visudo comes to restrict the commands a user can run as root
(sudo)
* run visudo to see your actual permissions, and man sudoers for some help.
notice at visudo the line
root ALL=(ALL) ALL
It means root can do all, from anywhere impersonating anyone
Enjoy
PS: Please reply using the backuppc list when you want to ask something
about backuppc.
We'll get the help of other members
On Sat, Mar 13, 2010 at 4:39 AM, Kenneth L. Owen <[email protected]>wrote:
> Hi Luis,
>
> As you have figured out by now, I am not a power user of Linux. I'm
> barely able to understand what the HowTo file says to do. I am very
> interested in security and trying to improve is why the 'AllowUsers'
> line was added to sshd_config. I will study the documents at the link
> and, if I can figure out how to do it, I'm very interested in avoiding a
> compromise of my system. If I have questions, will you be willing to
> guide me a bit more?
>
> Again, thanks for your patience with a neophyte! -- ken
>
> On Sat, 2010-03-13 at 03:17 +0000, Luis Paulo wrote:
> > Great.
> > Try
> >
> http://backuppc.sourceforge.net/faq/ssh.html#how_can_client_access_as_root_be_avoided
> > when you have the time. This way you avoid empty password keys for
> > root user. On the other hand, that may not be too important to you, I
> > guess.
> >
> > I have on server: visudo
> > Host_Alias LOCAL = <your server name or IP>
> > #backuppc LOCAL=NOPASSWD:/bin/tar -c *, /bin/tar -x *
> > backuppc LOCAL=NOPASSWD:/bin/tar -c *
> >
> > and $Conf{TarClientCmd} = /usr/bin/env LC_ALL=C sudo /bin/tar -c -v -f
> > - -C $shareName --totals
> > $Conf{TarClientRestoreCmd} = '/usr/bin/env LC_ALL=C sudo /bin/tar -x
> > -v -f - -C $shareName --totals';
> >
> > On linux clients, I have: visudo
> > #backuppc ALL=NOPASSWD: /usr/bin/rsync --server --sender *
> > backuppc ALL=NOPASSWD: /usr/bin/rsync --server *
> >
> > and $Conf{RsyncClientCmd} = $sshPath -q -x -l backuppc
> > $host /usr/bin/sudo /usr/bin/rsync $argList+
> > $Conf{RsyncClientRestoreCmd} = '$sshPath -q -x -l backuppc
> > $host /usr/bin/sudo $rsyncPath $argList+';
> >
> > note: you must switch the # on visudo to use restore
> >
> > Regards
> > Luis
> >
> > On Sat, Mar 13, 2010 at 2:12 AM, Kenneth L. Owen
> > <[email protected]> wrote:
> > > Hi Luis,
> > >
> > > Just as I thought, it now works!!! Thanks to you for sticking with
> > me
> > > to find my mistake. Only on a computer can you find twenty ways to
> > make
> > > the same mistake! -- ken
> > >
> > >>>> PROBLEM SOLVED <<<
> > >
>
>
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
BackupPC-users mailing list
[email protected]
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
