Hi
I really struggled to get this working. I thought it might be a good
idea to update the section.
I've edited the ssh section to tailor it specifically to cater for an
unprivileged user 'backuppc'
I've included it below, it may be useful to some and hopefully it could
be incorporated in the documentation to make it easier for users to set
this up in future.
The text follows below:
*Rsync via OpenSSH using non-privileged user 'backuppc'*
Depending upon your OpenSSH installation, many of these steps can be
replaced by running the scripts |ssh-user-config| and |ssh-host-config|
included with OpenSSH. You still need to manually exchange the public keys.
*BackupPC Server key generatio***n***(Do this only once)*
As the BackupPC user (__BACKUPPCUSER__), create a public ssh key on
the server.
ssh-keygen -t rsa
As a password, you would type nothing (just enter) if you wish
BackupPC to start automatically.
This will save the public key in |~/.ssh/id_rsa.pub| and the private
key in |~/.ssh/id_rsa|, (the home folder of backuppc) if you don't
specify another location.
Make a copy of the public key to avoid confusing it with the client keys
on the client machines (see later) to make it recognizable, eg:
cp ~/.ssh/id_rsa.pub ~/.ssh/BackupPC_id_rsa.pub
*See the |ssh| and |sshd| manual pages for extra configuration
information.*
*Client Non-privileged user Backuppc creation (Do this on each client PC)*
As root on the client machine, create a user called 'backuppc'
useradd backuppc
As root, now make a home directory for backuppc
mkdir /home/backuppc
As root, make a directory for backuppc's ssh configuration
mkdir /home/backuppc/.ssh
As root use visudo to create a sudoers file for backuppc, but with
permissions only to run rsync.
visudo -f /etc/sudoers.d/backuppc
Copy the following text in the file and save it
#Sudoers file for backuppc user to run rsync
backuppc ALL=NOPASSWD: /usr/bin/rsync
*Client Key generation **(Do this on each Client PC)*
As root on the client machine, use |ssh-keygen| to generate a
public/private key pair:
ssh-keygen -t rsa
This will save the public key in |~/.ssh/id_rsa.pub| and the private
key in |~/.ssh/id_rsa|, if you don't specify another location. As a
password, you would type nothing (just enter) if you wish BackupPC
to start automatically.
Make a copy of the public key to avoid confusing it with other client
keys on the backuppc server to make it recognizable, eg:
cp ~/.ssh/id_rsa.pub ~/.ssh/Fred-pc_id_rsa.pub (if the machine name is
Fred-pc)
Name each public key on each client uniquely, so that they are not
confused with other client's keys when copied onto the server.
*Key exchange*
*On Each Client:*
To allow BackupPC to ssh to the client as the non-privileged user
backuppc, you need to place the server BackupPC's public key into
the backuppc user's authorized list on the client. As root, append
BackupPC's public key (|BackupPC_id_rsa.pub|) to backuppc's
|/home/backuppc||/.ssh/authorized_keys2| file on the client:
touch /home/backuppc/.ssh/authorized_keys2
cat BackupPC_id_rsa.pub >> /home/backuppc/authorized_keys2
You should edit |/home/backuppc/.ssh/authorized_keys2| and add
further specifiers, eg: from, to limit which hosts can login using
this key. For example, if your BackupPC host is called
|backuppc.my.com|, there should be one line in
|~/.ssh/authorized_keys2| that looks like:
from="backuppc.my.com" ssh-rsa [base64 key, eg: ABwBCEAIIALyoqa8....]
*On BackupPC Server*
You need to place each client's public key into backuppc's
|~/.ssh/known_hosts| file, otherwise you will get a
Host key verification failed.
error, and backuppc will not be able to log into the client. To
place the client key into the |~/.ssh/known_hosts| file, you need to
do this (make sure |~/.ssh/client_id_rsa.pub| is the client's public
key, which needs to be copied from the client):
As user backuppc
touch ~/.ssh/known_hosts
cat ~/.ssh/Fred-pc_rsa.pub >> ~/.ssh/known_hosts
Repeat this step to add each client's key i.e. Mary-pc_rsa.pub and
whatever the other keys are named.
*Fix permissions*
You will probably need to make sure that all the files in |~/.ssh|
have no group or other read/write permission:
chmod -R go-rwx ~/.ssh
You should do the same thing for the BackupPC user on the server.
*Testing*
As the BackupPC user on the server, verify that this command:
ssh -l backuppc clientHostName whoami
prints
backuppc
You might be prompted the first time to accept the client's host key
and you might be prompted for backuppc's password on the client.
Make sure that this command runs cleanly with no prompts after the
first time. You might need to check |/etc/hosts.equiv| on the
client. Look at the man pages for more information. The |-v| option
to ssh is a good way to get detailed information about what fails.
The above configuration means that the only command that backuppc can
run is rsync.
You will have to set the RsyncClientCmd to be something like:
$Conf{RsyncClientCmd}
<http://backuppc.sourceforge.net/faq/BackupPC.html#item__conf_rsyncclientcmd_>
= '$sshPath -l backuppc $host nice -n 19 sudo $rsyncPath $argList+';
In this case the backup is niced so that it doesn't give such a
performance hit on the client. The same setup works for tar.
Cheers
Angus
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
BackupPC-users mailing list
[email protected]
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
