It is much better to use SSH certificates, not a great deal of extra work, but well worth it. Simplifies management and works well for automation.
Best, Frank On Thu, Jun 3, 2021 at 5:15 PM David Wright <deb...@lionunicorn.co.uk> wrote: > On Sat 29 May 2021 at 18:25:50 (-0400), Bob Weber wrote: > > > Now follow the instructions at: > > > > https://linuxize.com/post/how-to-setup-passwordless-ssh-login/ > > > > You will need to follow those instructions for each linux server you > > want to backup. The .ssh directory will be under the directory listed > > in the passwd file (/var/lib/backuppc).? DO NOT USE A PASSWORD TO > > create the key pair files! They should go into the > > /var/lib/backuppc/.ssh directory (only do this ONCE!). In step 03. > > the username should be root@ip-address (you will need root access on > > that machine to backup all files from the backuppc user on the > > backuppc server). In step 04 you should be able to "ssh > > root@ip-address" without a password. > > I do this as a matter of course when I set up my machines … > > > THESE COMMANDS ARE RUN ON EACH SERVER TO BE BACKED UP. > > … (not the backuppc stuff, but just the passwordless login) … > > > If yyou can't "ssh root@ip-address" without a password you may also > need the line > > > > "PermitRootLogin yes" > > > > in the /etc/ssh/sshd_config file on each server to be backed up. > > I avoid this wrinkle with a trick that's especially simple when it's > done first thing after installation (but it's easy at any time). > > On machine A: > > # ssh-copy-id -i ~/.ssh/id_rsa.pub <sysadminuser>@hostB > > where the sysadminuser¹ is as yet unconfigured for passwordless > login by ssh. On machine B, as sysadminuser: > > $ /bin/su - > # mv -i /home/<sysadminuser>/.ssh/authorized_keys /root/.ssh/ > # chown 0.0 /root/.ssh/authorized_keys > > If sysadminuser already had some keys in authorized_keys, > then root will need to edit the key from the last line of > /home/<sysadminuser>/.ssh/authorized_keys rather than just > moving the file (and make sure you don't leave behind a > backup in /home/<sysadminuser>/.ssh/authorized_keys~). > > Alternatively, you can move sysadminuser's authorized_keys > out of the way while you type the lines shown above, and then > move it back. (Stay logged in to sysadminuser while you do this.) > > > If you want to you can follow the instructions at "Disabling SSH > > Password Authentication". Be very careful to follow the instructions > > closely. These are not needed to get backuppc running! You will need > > to be able to sudo into root from an unprivileged user to get root > > access so be VERY careful to follow the instructions. > > ¹ I'm assuming root and sysadminuser are the same person, and others > don't (yet) have access to the machine. > > Cheers, > David. > >
