I set up a bacula client through an SSH tunnel, and have a few 
improvements over the documented method. So I wrote a new one - if there 
is interest, feel free to snag it for your documentation!

--------------------------

Using an SSH tunnel with Bacula

Credit goes to Stephan Holl and Joshua Eugler, who wrote earlier 
documents and scripts that document the basic idea of an SSH tunnel.

This is a similar approach, but different in some subtle but important 
details. Most importantly, this approach allows you to use the same 
Storage daemon for both local clients and clients through an SSH tunnel.

This is important because you can use the same pool and schedule for both.

I also changed the way SSH is invoked to make it self-closing. The 
tunnel will simply disappear as soon as the backup is completed.

1. What you need

On the bacula-director side:
- bacula director running as user "bacula", and fully configured and 
working using the standard ports 9101-9103. You can only have one 
Storage Daemon in your configuration. Make sure the Storage resource 
uses an FQDN; do not use IP addresses.
- openssh
- an available port to listen on, in addition to bacula's standard 
9101-9103. I chose 9112.
- the firewall must be open on localhost, ports 9101 and 9103.

On the bacula client side:
- bacula-fd installed.
- a user account with minimal permissions. Let's call it "tunneluser". 
This account will only serve as end point for the SSH tunnel. For 
security reasons, DO NOT use the root account.
- The firewall must be open on localhost, port 9101, 9102 and 9103. It 
is not necessary to open these ports on the network.

2. Setting up OpenSSH on the server side
First, we need to set up ssh for the bacula user, since this is the user 
name the director uses:

Log on as user "bacula" (you may have to log on as root, and then use 
the "su - bacula" command to actually become user bacula). You should be 
in bacula's home directory - probably /var/lib/bacula.

mkdir -p ~/.ssh
chmod 700 ~/.ssh
Also verify that .ssh is owned by user bacula, group bacula.

Now we need to create an SSH key pair into this new directory. Make sure 
that you do not use a pass phrase. We use the file names bacula_tunnel 
and bacula_tunnel.pub for the private and public keys, respectively.

cd ~/.ssh
ssh-keygen -b 2048 -C "SSH Tunnel for bacula" -t rsa -f bacula_tunnel -N ""

Create a file "config" in the ~/.ssh directory with the following 
content (yourclientFQDN is the actual FQDN that SSH will use to connect 
to the client. yourclientname should simply be the same as 
yourclientFQDN, although in some cases you could choose a different 
value for it).

Host <yourclientFQDN>
        AddressFamily           inet
        ConnectionAttempts      10
        ForwardAgent            no
        ForwardX11              no
        ForwardX11Trusted       no
        GatewayPorts            yes
        HostBasedAuthentication no
        HostKeyAlias            <yourclientname>
        HostName                <yourclientFQDN>
        IdentityFile            ~/.ssh/bacula_tunnel.pub
        PasswordAuthentication  no
        Protocol                2
        ServerAliveCountMax     3
        ServerAliveInterval     15
        TCPKeepAlive            no
        User                    tunneluser


Just in case permissions got messed up on the way, fix them in the .ssh 
directory

chmod 400 ~/.ssh/*


Transfer the public key (the file bacula_tunnel.pub) to your client 
machine, using whatever method you like (USB, FTP, scp, file shares, 
...). IMPORTANT: DO NOT TRANSFER THE PRIVATE KEY!


3. Setting up OpenSSH on the client side.

install the SSH public key into the tunneluser account on the client 
machine:
cd /home/tunneluser
mkdir -p /home/tunneluser/.ssh
touch /home/tunneluser/.ssh/authorized_keys
# Make sure you use the double >> redirection, or you will destroy any
# previous authorized keys if they existed.
cat <wherever>/bacula_tunnel.pub >>/home/tunneluser/.ssh/authorized_keys
chmod 700 /home/tunneluser/.ssh
chmod f00 /home/tunneluser/.ssh/*
chown -R tunneluser:tunneluser /home/tunneluser/.ssh

4. Complete OpenSSH setup

Before you can use OpenSSH, you need to complete one more step: store 
the host's fingerprint. On the server side, log on as user "bacula" (or 
use "su - bacula").

Then use ssh to connect to your client. Note that you MUST use the same 
FQDN you used in the "config" file earlier.
ssh <yourclientFQDN>

ssh will now prompt you to accept the fingerprint. Once you are at the 
command prompt, you can type "exit" to leave ssh.

5. Bacula setup, client side.

On the server, find the Address= lines for the Storage resource. Make 
sure the address is a FQDN on the private network, and do not resolve 
from the client.

On the client, edit your /etc/hosts file by adding the following line:
127.0.0.1    <storageFQDN>

Note: what this does is allow the file daemon (FD) to find the storage 
daemon (SD). Normally, the SD is of course hidden behind a firewall and 
inaccessible - that is why you are setting up an SSH tunnel, after all.

This entry tricks your client system into believing that the SD is 
located at 127.0.0.1 - which actually will be the end of the tunnel that 
we are going to establish soon.

The file daemon should listen only on port 127.0.0.1

FileDaemon {                          # this is me
  Name = <yourclientFQDN>-fd
  FDAddress = 127.0.0.1
  FDport = 9102                  # where we listen for the director
  WorkingDirectory = (use the standard values)
  Pid Directory = (use the standard values)
  Maximum Concurrent Jobs = (use the standard values)
}



6. Bacula setup, server side

Simply set up a client and job resource for the new client as usual, 
using the standard schedule and pool settings. Use <yourclientFQDN-fd> 
as the client name.

Now change the client resource as follows:

Name=<yourclientFQDN-fd
Address=localhost
FDPort=9112

In the job resource, add a Run Before Job script:

  Run Before Job = "/usr/local/sbin/sshbacula <yourclientFQDN>"

7. The SSH tunnel script

Use the following script and save it as /usr/local/sbin/sshbacula. 
Remember to change the permission as needed:

chmod +x /usr/local/sbin/sshbacula

Hint: you may want to change the line

CLIENT=$1

to

CLIENT=${1:-<yourclientFQDN>}

This will provide a default value to connect to if you don't specify it 
on the command line

Please be aware that some lines in the script may have wrapped due to 
emailing

---- Start script below. #!/bin/bash must be the first line!

#!/bin/bash
# Establishes a self-killing SSH tunnel to the
# given SSH server, and forwards the correct
# ports for bacula usage.

# Bacula-dir runs as user bacula, but with root's
# environment. We need to trick it into running
# actually looking for the .ssh directory in
# the right place.
USER=bacula
HOME=$(grep "^$USER:" /etc/passwd | cut -d : -f 6)
CLIENT=$1
LOCAL=$(hostname -f)
SSH=/usr/bin/ssh

echo "Starting SSH-tunnel to $CLIENT..."
# -f means: go into background
# -C means: use compression
# -2 means: only use SSH2
# -R 9101:$LOCAL:9101 means: when client connects to remote port 9101 
(bacula-dir), it will be
#    forwarded to this machine.
# -R 9103:$LOCAL:9103 means: when client connects to remote port 9101 
(bacula-sd), it will be
#    forwarded to this machine.
# -L 9112:localhost:9102 means: when bacula-dir connects to port 9112 
(instead of the normal 9102),
#    it will be forwarded to the client's FD. The client will think the 
connection was to port
#    9102 as usual
# sleep 60 is a simple command that will execute on the server and does 
nothing for 60 seconds,
# then it exits. This keeps ssh running for 60 seconds. Once we connect 
to the FD, that
# connection will keep ssh running even beyond the 60 seconds.
# Using this approach, we do not need to tear down the tunnel later, it 
disconnects itself
# automagically.
# It is important to redirect stdout and stderr, or else bacula will not 
realize that the
# script has terminated.
$SSH -fC2 -R 9101:$LOCAL:9101 -R 9103:$LOCAL:9103 -L 9112:localhost:9102 
$CLIENT sleep 60 > /dev/null 2>/dev/null
# give ssh a little time to establish the connection.
sleep 10



-- 
Kevin Keane
Owner
The NetTech
Find the Uncommon: Expert Solutions for a Network You Never Have to Think About

Office: 866-642-7116
http://www.4nettech.com

This e-mail and attachments, if any, may contain confidential and/or 
proprietary information. Please be advised that the unauthorized use or 
disclosure of the information is strictly prohibited. The information herein is 
intended only for use by the intended recipient(s) named above. If you have 
received this transmission in error, please notify the sender immediately and 
permanently delete the e-mail and any copies, printouts or attachments thereof.


------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users