Re: [BackupPC-users] ssh+rsync and known_hosts
>On 7/22/23 11:59 AM, Kenneth Porter wrote: >> I'm setting up some Raspberry Pis and I set up BackupPC to back them up >> using ssh+rsync. I installed the key in ~backuppc/.ssh/authorized_keys but >> the initial backup was still failing. So I tried manually ssh'ing into the >> Pi and discovered I was hitting the question to add the Pi to known_hosts. I >> don't see this mentioned in the documentation. I'm not sure where it would >> even go, but I wanted to mention it as I'll likely forget this a year from >> now. > > I have learned from past experience to login to the backuppc user and SSH to the remote client using the client host name from the client configuration file. This ensures I have everything set up properly and also adds the client to known_hosts. ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:https://github.com/backuppc/backuppc/wiki Project: https://backuppc.github.io/backuppc/
Re: [BackupPC-users] ssh+rsync and known_hosts
If you use: UserKnownHostsFile/dev/null StrictHostKeyChecking no in the backuppc user's ~/.ssh/config or some other equivalent, you can bypass that manual check. Of course it disables some security features, but for my purposes this is acceptable. Regards, On 7/22/23 11:59 AM, Kenneth Porter wrote: I'm setting up some Raspberry Pis and I set up BackupPC to back them up using ssh+rsync. I installed the key in ~backuppc/.ssh/authorized_keys but the initial backup was still failing. So I tried manually ssh'ing into the Pi and discovered I was hitting the question to add the Pi to known_hosts. I don't see this mentioned in the documentation. I'm not sure where it would even go, but I wanted to mention it as I'll likely forget this a year from now. ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:https://github.com/backuppc/backuppc/wiki Project: https://backuppc.github.io/backuppc/
Re: [BackupPC-users] ssh+rsync and known_hosts
On 7/23/2023 11:42 AM, backu...@kosowsky.org wrote: While allowing root permissions to rsync is a pretty big security hole itself, it is a little less drastic than simply logging in as root. On my more sensitive machines, I run rsyncd in read-only mode with exclusions. I do wish rsyncd offered an only-one-filesystem feature so I don't have to remember all the mount points to exclude. ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:https://github.com/backuppc/backuppc/wiki Project: https://backuppc.github.io/backuppc/
Re: [BackupPC-users] ssh+rsync and known_hosts
Paul Fox wrote at about 12:46:18 -0400 on Saturday, July 22, 2023: > Kenneth Porter wrote: > > I'm setting up some Raspberry Pis and I set up BackupPC to back them up > > using ssh+rsync. I installed the key in ~backuppc/.ssh/authorized_keys > but > > the initial backup was still failing. > > Unless things have changed (and they might have, but I still do it > this way), then the public key needs to go into /root/.ssh/authorized_keys. > Backuppc (on your backuppc server) needs root access to the client in > order to be able to read all of the files it needs. (You could use a > different user id on the client if you're sure that user can read all > the files which need to be backed up.) On my Linux machines (including RPis), I prefer to create a seaparate backuppc client account and then give it the necessary restricted privileges using sudo. For example, I add this to my etc/sudoers file on each relevant Linux client: #BackupPC #Don't require tty for user 'backuppcClient' Defaults:backuppcClient !requiretty #Allow user 'backuppcClient' to run sudo rsync to avoid need for ssh root@localhost: #Note for rsync < 3.1.x, string to sender can be either: -slHogDtpAXrcxe.iLsf (full) or -slHogDtpAXrxe.iLsf (incremental) #backuppcClient ALL=NOPASSWD: /usr/bin/rsync --server --sender -slHogDtpAXrxe.iLsf, /usr/bin/rsync --server --sender -slHogDtpAXrcxe.iLsf #Note for rsync >= 4.x, string to sender can be either: -slHogDtpAXrcxe.iLsfxC (full) or -slHogDtpAXrxe.iLsfxC (incremental) backuppcClient ALL=NOPASSWD: /usr/bin/rsync --server --sender -slHogDtpAXrxe.iLsfxC, /usr/bin/rsync --server --sender -slHogDtpAXrcxe.iLsfxC While allowing root permissions to rsync is a pretty big security hole itself, it is a little less drastic than simply logging in as root. > > > So I tried manually ssh'ing into the > > Pi and discovered I was hitting the question to add the Pi to > known_hosts. > > I don't see this mentioned in the documentation. I'm not sure where it > > would even go, but I wanted to mention it as I'll likely forget this a > year > > from now. > > You should be trying to manually ssh from the backuppc account, and > you should be trying to become root on the client. I usually do this: > > sudo su - backuppc # take on the identity of backuppc > ssh root@clientmachine # log in to the client as root > id # verify identity on client > exit# leave the client > exit# resume your normal identity > If you use my approach, then you would: ssh backuppcClient@clientmachine > When you hit that "add to known hosts?" question from ssh, just answer > "yes". ssh will put the key in the right place (which is in > ~backuppc/ssh/known_hosts). Don't forget to exit out of both the ssh > and the "sudo su" after you've tested. > > paul > =-- > paul fox, p...@foxharp.boston.ma.us (arlington, ma, where it's 73.1 degrees) > > > > ___ > BackupPC-users mailing list > BackupPC-users@lists.sourceforge.net > List:https://lists.sourceforge.net/lists/listinfo/backuppc-users > Wiki:https://github.com/backuppc/backuppc/wiki > Project: https://backuppc.github.io/backuppc/ ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:https://github.com/backuppc/backuppc/wiki Project: https://backuppc.github.io/backuppc/
Re: [BackupPC-users] ssh+rsync and known_hosts
--On Saturday, July 22, 2023 1:46 PM -0400 Paul Fox wrote: You should be trying to manually ssh from the backuppc account You'd think, but that's the last thing I tried, not the first. I was trying to diagnose the problem by running BackupPC_dump (as user backuppc) and trying to debug from the resulting output. But the only clue there was the refused handshake. I thought the key was wrong, when it was the missing entry in known_hosts that was the problem. With this exchange, perhaps the next person who runs into this will find the solution in the Google results. ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:https://github.com/backuppc/backuppc/wiki Project: https://backuppc.github.io/backuppc/
Re: [BackupPC-users] ssh+rsync and known_hosts
Kenneth Porter wrote: > I'm setting up some Raspberry Pis and I set up BackupPC to back them up > using ssh+rsync. I installed the key in ~backuppc/.ssh/authorized_keys but > the initial backup was still failing. Unless things have changed (and they might have, but I still do it this way), then the public key needs to go into /root/.ssh/authorized_keys. Backuppc (on your backuppc server) needs root access to the client in order to be able to read all of the files it needs. (You could use a different user id on the client if you're sure that user can read all the files which need to be backed up.) > So I tried manually ssh'ing into the > Pi and discovered I was hitting the question to add the Pi to known_hosts. > I don't see this mentioned in the documentation. I'm not sure where it > would even go, but I wanted to mention it as I'll likely forget this a year > from now. You should be trying to manually ssh from the backuppc account, and you should be trying to become root on the client. I usually do this: sudo su - backuppc # take on the identity of backuppc ssh root@clientmachine # log in to the client as root id # verify identity on client exit# leave the client exit# resume your normal identity When you hit that "add to known hosts?" question from ssh, just answer "yes". ssh will put the key in the right place (which is in ~backuppc/ssh/known_hosts). Don't forget to exit out of both the ssh and the "sudo su" after you've tested. paul =-- paul fox, p...@foxharp.boston.ma.us (arlington, ma, where it's 73.1 degrees) ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:https://github.com/backuppc/backuppc/wiki Project: https://backuppc.github.io/backuppc/
[BackupPC-users] ssh+rsync and known_hosts
I'm setting up some Raspberry Pis and I set up BackupPC to back them up using ssh+rsync. I installed the key in ~backuppc/.ssh/authorized_keys but the initial backup was still failing. So I tried manually ssh'ing into the Pi and discovered I was hitting the question to add the Pi to known_hosts. I don't see this mentioned in the documentation. I'm not sure where it would even go, but I wanted to mention it as I'll likely forget this a year from now. ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:https://github.com/backuppc/backuppc/wiki Project: https://backuppc.github.io/backuppc/