Re: [gentoo-amd64] Local network backup
On Friday 14 September 2007 12:42, Peter Humphrey wrote: > On Friday 14 Sep 2007, Hamish wrote: > > WIth ssh you can use a public/private keypair to do the authentications. > > The sequence is something like > > > > 1. Create a keypair on the CLIENT side of the connection > > 2. Copy the PUBLIC part of the keypair from the client to the server and > > append to the file ~/.ssh/authorised_keys > > > > That's it... > > Except that now, instead of being asked for a password, I'm asked for the > pass-phrase that belongs to the ssh key. > Then generate a keypair WITHOUT a passphrase... Hamish. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-amd64] Local network backup
On Sunday 16 September 2007, Peter Humphrey wrote: > This looks interesting - thanks. One thing - is it possible to install > it on a box with no Web server? I tried the emerge just now and got > fatal errors from webapp-config. I'll have a browse of the mailing > list archives and see what I can turn up. It probably can be done, but not through portage. My installation uses it, so I have no definitive answer. However, I guess that, with a manual installation and a considerable amount of tweaking, you could make it work that way (even though the docs list apache as a prerequisite). However, consider that, without the web interface, you lose the ability to browse through the backups and start backups and restores in a very simple way. While backups and restores can still be started running the appropriate scripts from the command line, restoring selected files or directories and (most impostant) browsing existing backups becomes nearly impossible, since the data is saved in a format quite difficult to interpret with a normal file manager or using command line tools (ls, find, etc.). -- [EMAIL PROTECTED] mailing list
Re: [gentoo-amd64] Local network backup
On Saturday 15 Sep 2007, Etaoin Shrdlu wrote: > FWIW, I use app-backup/backuppc to backup some boxes. It runs as a daemon > (ie, not from a cron job), can use a variety of transport protocols > (ssh, rsync, smb - this lets you backup windows boxes), runs as an > unprivileged user on the server, does not require anything to be > installed on the clients, is highly configurable, and can be controlled > using a nice web interface (ie, backups can be automatically initiated > by the server or clients can request a backup of their box). > > hth This looks interesting - thanks. One thing - is it possible to install it on a box with no Web server? I tried the emerge just now and got fatal errors from webapp-config. I'll have a browse of the mailing list archives and see what I can turn up. -- Rgds Peter. Linux Counter 5290, Aug 93 -- [EMAIL PROTECTED] mailing list
Re: [gentoo-amd64] Local network backup
On Freitag, 14. September 2007, Peter Humphrey wrote: > Here's today's problem. > > I have a firewall-cum-gateway box between my tiny LAN and the Internet. The > gateway runs constantly, while the internal boxes run when needed (they're > my laptop and workstation). I want to use some space on the gateway to > store backups of the other boxes, and I'd like the backup to run unattended > at a time when the others are likely to be running. This seems not to be > possible without security risks. so you want to store your most sensible data on the box most exposed to attacks? Doesn't that sound strange, when you think about it? -- [EMAIL PROTECTED] mailing list
Re: [gentoo-amd64] Local network backup
On Saturday 15 September 2007, Peter Humphrey wrote: > In that case, either I'm not reading it straight or I'm doing > something wrong in setting it up for myself. I'd better have another > go. > > Thanks for your help. FWIW, I use app-backup/backuppc to backup some boxes. It runs as a daemon (ie, not from a cron job), can use a variety of transport protocols (ssh, rsync, smb - this lets you backup windows boxes), runs as an unprivileged user on the server, does not require anything to be installed on the clients, is highly configurable, and can be controlled using a nice web interface (ie, backups can be automatically initiated by the server or clients can request a backup of their box). Downsides: - the portage version is not the latest (2.1.something vs. 3.0.something), but there is an experimental ebuild for the latest version in bugzilla (I have not tried it though); - if you want passwordless ssh root logins on the clients but your ssh key is protected by a passphrase, you have to login as user backuppc and start the daemon manually to enter the ssh passphrase (instead of using the provided /etc/init.d script), but, as I said, this is a minor nuisance, and has to be done only once when the machine is rebooted. If your ssh key does not have a passphrase, there are no problems at all. hth -- [EMAIL PROTECTED] mailing list
Re: [gentoo-amd64] Local network backup
On Saturday 15 Sep 2007, Etaoin Shrdlu wrote: > On Saturday 15 September 2007, Peter Humphrey wrote: > > Those are the articles I said I'd read in my first e-mail. They make > > it clear that ssh is intended for interactive use only. > > They also make clear that, using keychain, ssh can be used from cron jobs > too (as others have also said) to allow passwordless logins. All you In that case, either I'm not reading it straight or I'm doing something wrong in setting it up for myself. I'd better have another go. Thanks for your help. -- Rgds Peter. Linux Counter 5290, Aug 93 -- [EMAIL PROTECTED] mailing list
Re: [gentoo-amd64] Local network backup
On Saturday 15 September 2007, Peter Humphrey wrote: > On Friday 14 Sep 2007, Etaoin Shrdlu wrote: > > Or, you can use keychain. > > Read these articles for a good introduction to keychain (and ssh key > > management): > > > > http://www.gentoo.org/doc/en/articles/openssh-key-management-p1.xml > > http://www.gentoo.org/doc/en/articles/openssh-key-management-p2.xml > > http://www.gentoo.org/doc/en/articles/openssh-key-management-p3.xml > > Those are the articles I said I'd read in my first e-mail. They make > it clear that ssh is intended for interactive use only. They also make clear that, using keychain, ssh can be used from cron jobs too (as others have also said) to allow passwordless logins. All you have to do is log in once when the box is booted, so that the necessary environment is established, and from then the necessary files can be sourced from wherever you like, including scripts run from cron jobs. If the uptime of your system is high enough, this means logging in once every several months or so, and forget about the whole thing. "And because SSH_AUTH_SOCK is recorded in ~/.ssh-agent, our own shell scripts and cron jobs can easily connect with ssh-agent just by sourcing the ~/.ssh-agent file". Things are a little different with the newer versions of keychain, but the fact that cron jobs can do passwordless logins usign keychain still is true (also because I use it all the time). -- [EMAIL PROTECTED] mailing list
Re: [gentoo-amd64] Local network backup
On Friday 14 Sep 2007, Etaoin Shrdlu wrote: > Or, you can use keychain. > Read these articles for a good introduction to keychain (and ssh key > management): > > http://www.gentoo.org/doc/en/articles/openssh-key-management-p1.xml > http://www.gentoo.org/doc/en/articles/openssh-key-management-p2.xml > http://www.gentoo.org/doc/en/articles/openssh-key-management-p3.xml Those are the articles I said I'd read in my first e-mail. They make it clear that ssh is intended for interactive use only. -- Rgds Peter. Linux Counter 5290, Aug 93 -- [EMAIL PROTECTED] mailing list
Re: [gentoo-amd64] Local network backup
On Fri, Sep 14, 2007 at 05:32:14PM +0100, Mike Williams wrote: > man sshd > AUTHORIZED_KEYS FILE FORMAT > > Lots of interesting goodies. Thanks! I was almost certain I had used that a couple years back but couldn't find a mention of it anywhere in the ssh_config or sshd_config man pages so I was becoming doubtful of my memory. -Jack -- [EMAIL PROTECTED] mailing list
Re: [gentoo-amd64] Local network backup
I use net-misc/keychain to manage my ssh keys. My backup machine root account has this sequence in the .bash_profile file: keychain ~/.ssh/id_dsa . ~/.keychain/$HOSTNAME-sh If I reboot the backup machine I need to remember to login as root. The keychain program checks to see if it has the key in memory and only asks for the password the first time. I use this as part of my rsnapshot backup system. Steve Herber[EMAIL PROTECTED] work: 206-221-7262 Security Engineer, UW Medicine, IT Services home: 425-454-2399 On Fri, 14 Sep 2007, Jordi Molina wrote: On 9/14/07, Peter Humphrey <[EMAIL PROTECTED]> wrote: Except that now, instead of being asked for a password, I'm asked for the pass-phrase that belongs to the ssh key. Create it w/o passphrase. It's not a big security risk, just ensure that the access of the user in the fw machine has restrictive access over its home and that it can't su/sudo to root. Any backup application that sends data unattendedly will have the same security concerns, from my point of view it'ld be senseless to start now a discussion about this, again. -- Jordi Molina Casas (warp3r) mail: [EMAIL PROTECTED] 4BC8 8150 7B1A FC24 FBAD 7B07 FE90 F300 4F36 3BF7 mail: [EMAIL PROTECTED] 2F91 EF95 229E FC31 18C0 05C3 B320 22DA 8C03 F33E www: www.warp3r.com -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
Re: [gentoo-amd64] Local network backup
On Friday 14 September 2007 17:10:54 Jack Lloyd wrote: > I had thought OpenSSH had some facility built in for limiting what > particular users could do (so you could create an account that can > only be used for sftp transfers, and sshd would not allow that user to > get a tty or shell), but I can't seem to find anything about that in > the man page, so I may just be imagining this feature. man sshd AUTHORIZED_KEYS FILE FORMAT Lots of interesting goodies. -- Mike Williams -- [EMAIL PROTECTED] mailing list
Re: [gentoo-amd64] Local network backup
On Fri, Sep 14, 2007 at 03:34:06PM +0200, Jordi Molina wrote: > It's not a big security risk, just ensure that the access of the user > in the fw machine has restrictive access over its home and that it > can't su/sudo to root. You can use something like scponly, to keep anyone who steals the key from getting shell access to your firewall: http://sublimation.org/scponly/wiki/index.php/Main_Page You could also limit where logins come from via AllowUsers in your sshd config. I had thought OpenSSH had some facility built in for limiting what particular users could do (so you could create an account that can only be used for sftp transfers, and sshd would not allow that user to get a tty or shell), but I can't seem to find anything about that in the man page, so I may just be imagining this feature. -Jack -- [EMAIL PROTECTED] mailing list
Re: [gentoo-amd64] Local network backup
On 9/14/07, Peter Humphrey <[EMAIL PROTECTED]> wrote: > On Friday 14 Sep 2007, Wil Reichert wrote: > > I'm assuming since you're asking this question your firewall is locked down > > pretty tight. > > Not particularly, but it seems silly to take needless risks. It has shorewall > to manage iptables, but I still let it run squid, ntpd, dnsmasq and a few > other little goodies. I suppose I rely on shorewall to keep me safe. > > > That said, backing up your personal data to it seems like a not very good > > idea. Were you planning on encrypting it or something? > > I see what you mean, but really the main use of the backup would be to recover > a working system to a damaged box (I can be just as clumsy in admin as anyone > else), rather than spending a week or more rebuilding it from source. User > data could perhaps be backed up elsewhere - I have a handy little USB disk > that would do nicely. > > > Who uses your internal network seems to be the variable here. Is this at > > work or home? > > The clue was in "my tiny LAN" which means my own :-) > > > Is there a wireless router thrown in there somewhere? > > The one wireless link is between the laptop and an access point; the WAP is > connected to an Ethernet switch which lives between the workstation and the > gateway. Why do you ask? Shorewall is good =) If its your own private LAN with no (few?) external users, why bother with ssh & encrypting traffic? Wil -- [EMAIL PROTECTED] mailing list
Re: [gentoo-amd64] Local network backup
On 9/14/07, Etaoin Shrdlu <[EMAIL PROTECTED]> wrote: > Or, you can use keychain. It's an interesting tool, though it forces you to log in at least once before the scripts (suposedly located at cron) run. If the scripts are going to be run directly from the shell then it may be useful. -- Jordi Molina Casas (warp3r) mail: [EMAIL PROTECTED] 4BC8 8150 7B1A FC24 FBAD 7B07 FE90 F300 4F36 3BF7 mail: [EMAIL PROTECTED] 2F91 EF95 229E FC31 18C0 05C3 B320 22DA 8C03 F33E www: www.warp3r.com -- [EMAIL PROTECTED] mailing list
Re: [gentoo-amd64] Local network backup
On Friday 14 September 2007, Jordi Molina wrote: > On 9/14/07, Peter Humphrey <[EMAIL PROTECTED]> wrote: > > Except that now, instead of being asked for a password, I'm asked > > for the pass-phrase that belongs to the ssh key. > > Create it w/o passphrase. > > It's not a big security risk, just ensure that the access of the user > in the fw machine has restrictive access over its home and that it > can't su/sudo to root. > > Any backup application that sends data unattendedly will have the same > security concerns, from my point of view it'ld be senseless to start > now a discussion about this, again. Or, you can use keychain. Read these articles for a good introduction to keychain (and ssh key management): http://www.gentoo.org/doc/en/articles/openssh-key-management-p1.xml http://www.gentoo.org/doc/en/articles/openssh-key-management-p2.xml http://www.gentoo.org/doc/en/articles/openssh-key-management-p3.xml http://www.gentoo.org/proj/en/keychain/index.xml HTH -- [EMAIL PROTECTED] mailing list
Re: [gentoo-amd64] Local network backup
On 9/14/07, Peter Humphrey <[EMAIL PROTECTED]> wrote: > > Except that now, instead of being asked for a password, I'm asked for the > pass-phrase that belongs to the ssh key. > Create it w/o passphrase. It's not a big security risk, just ensure that the access of the user in the fw machine has restrictive access over its home and that it can't su/sudo to root. Any backup application that sends data unattendedly will have the same security concerns, from my point of view it'ld be senseless to start now a discussion about this, again. -- Jordi Molina Casas (warp3r) mail: [EMAIL PROTECTED] 4BC8 8150 7B1A FC24 FBAD 7B07 FE90 F300 4F36 3BF7 mail: [EMAIL PROTECTED] 2F91 EF95 229E FC31 18C0 05C3 B320 22DA 8C03 F33E www: www.warp3r.com -- [EMAIL PROTECTED] mailing list
Re: [gentoo-amd64] Local network backup
On Friday 14 Sep 2007, Peter Humphrey wrote: > So far I haven't tried specifying a remote destination to rsnapshot, which > seems to assume it will be running on the backup host. If that's feasible, > of course I'd prefer to do so. I'll try it and see. Nope. Only local paths can be specified as backup destinations in /etc/rsnapshot.conf. Now I'm reduced to contemplating the use of rsnapshot to maintain a local backup of the system and using rsync to keep a copy of it on the server. Bizarre. -- Rgds Peter. Linux Counter 5290, Aug 93 -- [EMAIL PROTECTED] mailing list
Re: [gentoo-amd64] Local network backup
On Friday 14 Sep 2007, Wil Reichert wrote: > I'm assuming since you're asking this question your firewall is locked down > pretty tight. Not particularly, but it seems silly to take needless risks. It has shorewall to manage iptables, but I still let it run squid, ntpd, dnsmasq and a few other little goodies. I suppose I rely on shorewall to keep me safe. > That said, backing up your personal data to it seems like a not very good > idea. Were you planning on encrypting it or something? I see what you mean, but really the main use of the backup would be to recover a working system to a damaged box (I can be just as clumsy in admin as anyone else), rather than spending a week or more rebuilding it from source. User data could perhaps be backed up elsewhere - I have a handy little USB disk that would do nicely. > Who uses your internal network seems to be the variable here. Is this at > work or home? The clue was in "my tiny LAN" which means my own :-) > Is there a wireless router thrown in there somewhere? The one wireless link is between the laptop and an access point; the WAP is connected to an Ethernet switch which lives between the workstation and the gateway. Why do you ask? -- Rgds Peter. Linux Counter 5290, Aug 93 -- [EMAIL PROTECTED] mailing list
Re: [gentoo-amd64] Local network backup
On Friday 14 Sep 2007, Hamish wrote: > WIth ssh you can use a public/private keypair to do the authentications. > The sequence is something like > > 1. Create a keypair on the CLIENT side of the connection > 2. Copy the PUBLIC part of the keypair from the client to the server and > append to the file ~/.ssh/authorised_keys > > That's it... Except that now, instead of being asked for a password, I'm asked for the pass-phrase that belongs to the ssh key. > Note that [...] that if you're doing this as root @ the server (Root at the > client is fine, in fact usually required :), then (A) you shouldn't be I agree. So far I haven't tried specifying a remote destination to rsnapshot, which seems to assume it will be running on the backup host. If that's feasible, of course I'd prefer to do so. I'll try it and see. > (B) you might need to enable root login on sshd (In sshd_config on the > server side). > > Hamish. Thanks for your thoughts. -- Rgds Peter. Linux Counter 5290, Aug 93 -- [EMAIL PROTECTED] mailing list
Re: [gentoo-amd64] Local network backup
I'm assuming since you're asking this question your firewall is locked down pretty tight. That said, backing up your personal data to it seems like a not very good idea. Were you planning on encrypting it or something? Anyway... Who uses your internal network seems to be the variable here. Is this at work or home? Is there a wireless router thrown in there somewhere? Wil On 9/14/07, Peter Humphrey <[EMAIL PROTECTED]> wrote: > Here's today's problem. > > I have a firewall-cum-gateway box between my tiny LAN and the Internet. The > gateway runs constantly, while the internal boxes run when needed (they're my > laptop and workstation). I want to use some space on the gateway to store > backups of the other boxes, and I'd like the backup to run unattended at a > time when the others are likely to be running. This seems not to be possible > without security risks. > > I've looked through all the Gentoo app-backup packages and found very few that > are suitable for use out of the box. Ssh figures in them all, which is a good > thing I suppose - except that I can't find a way to have ssh or scp run > unattended. > > Take rsnapshot, for instance. This looks like just what I need: automation via > cron, history extending from hours to months, easy restoration and so on. It > uses rsync, which can run either natively, which I'm not sure is prudent over > the LAN, or over ssh. So in trying to set rsnapshot up to use ssh, and > following the admirable guide by Daniel Robbins, I find that in order to > avoid having to give a password every time a snapshot is taken, I have to > remain logged in as root. This is not a good idea on a firewall box. > > So I seem to have a choice: (i) run my backups manually, (ii) run them without > ssh. You see my dilemma. > > -- > Rgds > Peter. > Linux Counter 5290, Aug 93 > -- > [EMAIL PROTECTED] mailing list > > -- [EMAIL PROTECTED] mailing list
Re: [gentoo-amd64] Local network backup
On Friday 14 September 2007 10:22, Peter Humphrey wrote: > Here's today's problem. > > I have a firewall-cum-gateway box between my tiny LAN and the Internet. The > gateway runs constantly, while the internal boxes run when needed (they're > my laptop and workstation). I want to use some space on the gateway to > store backups of the other boxes, and I'd like the backup to run unattended > at a time when the others are likely to be running. This seems not to be > possible without security risks. > > I've looked through all the Gentoo app-backup packages and found very few > that are suitable for use out of the box. Ssh figures in them all, which is > a good thing I suppose - except that I can't find a way to have ssh or scp > run unattended. WIth ssh you can use a public/private keypair to do the authentications. The sequence is something like 1. Create a keypair on the CLIENT side of the connection 2. Copy the PUBLIC part of the keypair from the client to the server and append to the file ~/.ssh/authorised_keys That's it... Note that directory permissions and ownerships are very much required to be correct. And also that if you're doing this as root @ the server (Root at the client is fine, in fact usually required :), then (A) you shouldn't be (B) you might need to enable root login on sshd (In sshd_config on the server side). Hamish. -- [EMAIL PROTECTED] mailing list
[gentoo-amd64] Local network backup
Here's today's problem. I have a firewall-cum-gateway box between my tiny LAN and the Internet. The gateway runs constantly, while the internal boxes run when needed (they're my laptop and workstation). I want to use some space on the gateway to store backups of the other boxes, and I'd like the backup to run unattended at a time when the others are likely to be running. This seems not to be possible without security risks. I've looked through all the Gentoo app-backup packages and found very few that are suitable for use out of the box. Ssh figures in them all, which is a good thing I suppose - except that I can't find a way to have ssh or scp run unattended. Take rsnapshot, for instance. This looks like just what I need: automation via cron, history extending from hours to months, easy restoration and so on. It uses rsync, which can run either natively, which I'm not sure is prudent over the LAN, or over ssh. So in trying to set rsnapshot up to use ssh, and following the admirable guide by Daniel Robbins, I find that in order to avoid having to give a password every time a snapshot is taken, I have to remain logged in as root. This is not a good idea on a firewall box. So I seem to have a choice: (i) run my backups manually, (ii) run them without ssh. You see my dilemma. -- Rgds Peter. Linux Counter 5290, Aug 93 -- [EMAIL PROTECTED] mailing list