Kenneth L. Owen wrote:
> Hello Rob,
>
> Thanks for taking the time to look at this and reply. I am learning, but
> still have a ways to go before I can serve at your capacity!
>
> I read over your reply and have a few added pieces and some questions: (All
> of this was the same when I successfully created the keys before the crash.)
>
> 1. Before I started setting up pass-phraseless keys for BackupPC, I had
> already created ssh keys that would allow me to log in remotely between the
> two Linux workstations as normal user 'ken'. Root logon is not allowed.
> Once I logon, I can su to 'root', if needed. The keys that allow this exist
> on both machines in /home/ken/.ssh/known_hosts. This is working fine just
> like it was the first time I created the backuppc keys.
> 2. This is a rebuild of a previously working system. This is the exact
> same sequence (as best as I can determine) of the first time I set up these
> keys. I took my directions, both times, step by step from
> http://www.howtoforge.com/linux_backuppc_p4
> 3. I also have httpd setup for secure connections between the two Linux
> workstations (https:). I can log into BackupPC GUI as 'ken' on "Archiver",
> but cannot log in to BackupPC from "WinServer" as 'ken', nor could I do so
> before when every thing else was working. It may be that I am not doing it
> correctly. In both cases, I enter "https://Archiver/BackupPC/ <enter>' into
> my browser's url space.
Sounds like your webserver is denying access to any machine but
localhost. I can't tell you exactly how to fix this, but look through
your config files for "localhost" or "127.0.0.1". Check
/etc/backuppc/apache.conf
> 4. Your first comment "root@WinServer does not need a keypair
> unless..." may be correct, but it was setup this way the first time and it
> caused no problem.
It wouldn't cause a problem. I just wanted to let you know so you don't
go searching for your solution in that step.
> 5. Your second comment "FYI, you do not need to conceal finger prints"
> is well taken. I was not trying to conceal so much as cut down on unneeded
> data and typing.
Understood.
> 6. Your third comment was "This whole section is not needed for
> BackupPC. What you've done here is allowed root@WinServer to log in as
> [email protected], and I don't think that's what you meant to do."
> I take it that I don't need to send (scp) the key id_rsa.pub to Archiver
> for BackupPC to be able to access WinServer. But I don't understand that
> root would be logging in as 'backuppc' user!!
If root@WinServer creates a keypair, and puts the public key in
/var/lib/BackupPC/.ssh/authorized_keys on 192.168.1.106 (I think that's
what you did), then you're allowing root@WinServer to log in using
public key authentication to 192.168.1.106 as user backuppc. This is
because you put the key in user backuppc's authorized_keys file. (the
backuppc user's home directory is /var/lib/BackupPC)
> 7. The forth comment is where I have the most trouble following you.
> "Yes, because it is the fingerprint of the server (it is not user-specific).
> FYI, the RSA key it is referencing is in /etc/ssh/ (it's probably called
> ssh_host_rsa_key.pub).
>
> The first time you were asked this question, you were scp'ing as root. Now
> you are ssh'ing as a different user. That is why you're being asked the
> question again. Each user gets the opportunity to accept or reject the
> validity of a server's public key (by verifying that the fingerprint is
> correct). This information is recorded in the user's ~/.ssh/known_hosts
> file."
>
> I checked /etc/ssh/ and do have both ssh_host_rsa_key.pub and
> ssh_host_dsa_key.pub.
>
> In step 1, the fingerprint was 'fe:a0:.:7b:9e' and but that is the key
> generation on WinServer that you said was not needed. My mistake in
> referencing this. The only keys I am aware of on Archiver for this process
> of creating keys exist at /var/lib/BackupPC/.ssh and should be the keys used
> by backuppc user.
>
> When I did the scp of the Archiver key to WinServer, I was working as
> 'backuppc', not 'root'. When I was testing at the end, I was 'backuppc'
> reqesting logon to WinServer with 'root' authority, as I understand it. The
> last time I set up the keys, I did not get the 'password' prompt, but just
> got a reply of 'root' from WinServer. (Actual transcript below.)
>
> [ken@Archiver ~]$ su -
> Password:
> [root@Archiver ~]# su -s /bin/bash - backuppc
> -bash-3.2$ ssh -l root WinServer whoami
> root
> -bash-3.2$
>
OK, I got a little lost in your original email I guess.
This might help a little:
There are 2 sets of keys in use here. One set is the server's keys.
The system creates these keys when the ssh server is installed. These
identify the server and this is what is referenced when you get the
message "authenticity of host cannot be established...". That message
provides you with the fingerprint of the public key for the server, and
it is up to you to verify it. Note that each user who connects to that
server for the first time will get that message.
The other set of keys is the user's key pair. These are created with
the ssh-keygen command, and they are used for authentication purposes
(in place of password authentication). If a user places his public key
in the ~/.ssh/authorized_keys file on another machine, that gives him
the ability to log into that other machine as that particular user
(whichever user's home directory he put the keys in). So I could put my
public key in /home/rob/.ssh/authorized_keys and in
/var/lib/backuppc/.ssh/authorized_keys and in /root/.ssh/authorized_keys
and that would allow me to log in as "rob", "backuppc", and "root" on
that server.
> Does it matter if the BackupPC service is running? I think it was stopped
> when I created the keys this time.
>
No, that doesn't matter.
So what's the problem you're having again? The only error message I see
is "ABORTED DUE TO FAILURE", but that's because you hit ctrl-c when
asked if you were sure you wanted to connect.
-Rob
> -----Original Message-----
> From: Rob Owens [mailto:rob.owens AT biochemfluidics DOT com]
> Sent: Wednesday, December 03, 2008 10:30 AM
> To: General list for user discussion,questions and support
> Subject: Re: [BackupPC-users] I broke perfection ...
>
>
>
> Kenneth L. Owen wrote:
>> Back in October, I was a Linux newbie struggling to get BackupPC to work
>> and was successful in a very short time with the great support I got
>> here (Ref: Almost Working). Since then, I've monitored the system
>
>>>>> Deleted text <<<<
>
> Yes, because it is the fingerprint of the server (it is not
> user-specific). FYI, the RSA key it is referencing is in /etc/ssh/
> (it's probably called ssh_host_rsa_key.pub).
>
> The first time you were asked this question, you were scp'ing as root.
> Now you are ssh'ing as a different user. That is why you're being asked
> the question again. Each user gets the opportunity to accept or reject
> the validity of a server's public key (by verifying that the fingerprint
> is correct). This information is recorded in the user's
> ~/.ssh/known_hosts file.
>
> -Rob
>
>> Are you sure you want to continue connecting (yes/no)? ^C <<<===
>> ABORTED DUE TO FAILURE
>>
>> -bash-3.2$
>>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> BackupPC-users mailing list
> BackupPC-users AT lists.sourceforge DOT net
> List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
> Wiki: http://backuppc.wiki.sourceforge.net
> Project: http://backuppc.sourceforge.net/
********************************************************
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. If you are not the addressee, any disclosure, reproduction,
copying, distribution, or other dissemination or use of this transmission in
error please notify the sender immediately and then delete this e-mail.
E-mail transmission cannot be guaranteed to be secure or error free as
information could be intercepted, corrupted lost, destroyed, arrive late or
incomplete, or contain viruses.
The sender therefore does not accept liability for any errors or omissions
in the contents of this message which arise as a result of e-mail
transmission. If verification is required please request a hard copy
version.
********************************************************
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
|
