Angus,
Great write up. Mine is set up in a similar manner, though I need to find
time to switch out my dsa keys for rsa.
However, have the following stub for my /etc/sudoers.d:
Cmnd_Alias BACKUP=/bin/tar, /usr/bin/rsync, /usr/bin/mysqldump,
/usr/local/sbin/dbdump
backuppc ALL=NOPASSWD:BACKUP
or
Cmnd_Alias BACKUP=/usr/bin/tar,/usr/local/bin/rsync
backuppc ALL=NOPASSWD: BACKUP
on FreeBSD clients (in /usr/local/etc/sudoers.d)
This will accomodate the tar method as well as rsync, plus allow dbdump
script I wrote to run as a DumpPreUserCmd.
--b
On Sat, Mar 14, 2015 at 7:08 AM, Angus Kerr <an...@tropical.za.net> wrote:
> Hi
>
> I really struggled to get this working. I thought it might be a good idea
> to update the section.
>
> I've edited the ssh section to tailor it specifically to cater for an
> unprivileged user 'backuppc'
>
> I've included it below, it may be useful to some and hopefully it could be
> incorporated in the documentation to make it easier for users to set this
> up in future.
>
> The text follows below:
>
> *Rsync via OpenSSH using non-privileged user 'backuppc'*
>
> Depending upon your OpenSSH installation, many of these steps can be
> replaced by running the scripts ssh-user-config and ssh-host-config
> included with OpenSSH. You still need to manually exchange the public keys.
> *BackupPC Server key generatio**n** (Do this only once)* As the BackupPC
> user (__BACKUPPCUSER__), create a public ssh key on the server.
>
> ssh-keygen -t rsa
>
> As a password, you would type nothing (just enter) if you wish BackupPC
> to start automatically. This will save the public key in ~/.ssh/id_rsa.pub
> and the private key in ~/.ssh/id_rsa, (the home folder of backuppc) if
> you don't specify another location.
>
> Make a copy of the public key to avoid confusing it with the client keys
> on the client machines (see later) to make it recognizable, eg:
>
>
> cp ~/.ssh/id_rsa.pub ~/.ssh/BackupPC_id_rsa.pub
>
> *See the ssh and sshd manual pages for extra configuration information.*
>
> *Client Non-privileged user Backuppc creation (Do this on each client PC)*
>
> As root on the client machine, create a user called 'backuppc'
>
> useradd backuppc
>
> As root, now make a home directory for backuppc
>
> mkdir /home/backuppc
>
> As root, make a directory for backuppc's ssh configuration
>
> mkdir /home/backuppc/.ssh
>
> As root use visudo to create a sudoers file for backuppc, but with
> permissions only to run rsync.
>
> visudo -f /etc/sudoers.d/backuppc
>
> Copy the following text in the file and save it
>
> #Sudoers file for backuppc user to run rsync
>
> backuppc ALL=NOPASSWD: /usr/bin/rsync
> *Client Key generation **(Do this on each Client PC)* As root on the
> client machine, use ssh-keygen to generate a public/private key pair:
>
> ssh-keygen -t rsa
>
> This will save the public key in ~/.ssh/id_rsa.pub and the private key
> in ~/.ssh/id_rsa, if you don't specify another location. As a password,
> you would type nothing (just enter) if you wish BackupPC to start
> automatically.
>
> Make a copy of the public key to avoid confusing it with other client keys
> on the backuppc server to make it recognizable, eg:
>
>
> cp ~/.ssh/id_rsa.pub ~/.ssh/Fred-pc_id_rsa.pub (if the machine name is
> Fred-pc)
>
> Name each public key on each client uniquely, so that they are not
> confused with other client's keys when copied onto the server.
>
> *Key exchange* *On Each Client:* To allow BackupPC to ssh to the client
> as the non-privileged user backuppc, you need to place the server
> BackupPC's public key into the backuppc user's authorized list on the
> client. As root, append BackupPC's public key (BackupPC_id_rsa.pub) to
> backuppc's /home/backuppc/.ssh/authorized_keys2 file on the client:
>
> touch /home/backuppc/.ssh/authorized_keys2
> cat BackupPC_id_rsa.pub >> /home/backuppc/authorized_keys2
>
> You should edit /home/backuppc/.ssh/authorized_keys2 and add further
> specifiers, eg: from, to limit which hosts can login using this key. For
> example, if your BackupPC host is called backuppc.my.com, there should be
> one line in ~/.ssh/authorized_keys2 that looks like:
>
> from="backuppc.my.com" ssh-rsa [base64 key, eg: ABwBCEAIIALyoqa8....]
>
> *On BackupPC Server* You need to place each client's public key into
> backuppc's ~/.ssh/known_hosts file, otherwise you will get a
>
> Host key verification failed.
>
> error, and backuppc will not be able to log into the client. To place
> the client key into the ~/.ssh/known_hosts file, you need to do this
> (make sure ~/.ssh/client_id_rsa.pub is the client's public key, which
> needs to be copied from the client): As user backuppc
>
> touch ~/.ssh/known_hosts
> cat ~/.ssh/Fred-pc_rsa.pub >> ~/.ssh/known_hosts
>
> Repeat this step to add each client's key i.e. Mary-pc_rsa.pub and
> whatever the other keys are named. *Fix permissions* You will probably
> need to make sure that all the files in ~/.ssh have no group or other
> read/write permission:
>
> chmod -R go-rwx ~/.ssh
>
> You should do the same thing for the BackupPC user on the server.
> *Testing* As the BackupPC user on the server, verify that this command:
>
> ssh -l backuppc clientHostName whoami
>
> prints
>
> backuppc
>
> You might be prompted the first time to accept the client's host key and
> you might be prompted for backuppc's password on the client. Make sure that
> this command runs cleanly with no prompts after the first time. You might
> need to check /etc/hosts.equiv on the client. Look at the man pages for
> more information. The -v option to ssh is a good way to get detailed
> information about what fails.
>
> The above configuration means that the only command that backuppc can run
> is rsync.
>
> You will have to set the RsyncClientCmd to be something like:
>
> $Conf{RsyncClientCmd}
> <http://backuppc.sourceforge.net/faq/BackupPC.html#item__conf_rsyncclientcmd_>
> = '$sshPath -l backuppc $host nice -n 19 sudo $rsyncPath $argList+';
>
> In this case the backup is niced so that it doesn't give such a
> performance hit on the client. The same setup works for tar.
>
>
> Cheers
> Angus
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> BackupPC-users mailing list
> BackupPC-users@lists.sourceforge.net
> List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
> Wiki: http://backuppc.wiki.sourceforge.net
> Project: http://backuppc.sourceforge.net/
>
>
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
