|
Re: [BackupPC-users] sshd on client?
2008-12-27 12:39:04
Timothy Murphy wrote:
>>>> 1. ssh-keygen as root on the client
>>> 2. scp .ssh/id_rsa.pub from /root on the client to the server
>>> and append to ~backuppc/.ssh/authorized_keys .
>> You have that backwards. The private side of the key pair belongs in
>> the .ssh directory under the home of the originator of the command. The
>> public part is appended to the authorized_keys or authorized_keys2 file
>> in the .ssh directory under the home of the target of the command. The
>> remote side is going to use the public key to make sure that the
>> originator can read the private key on the originating system before
>> continuing.
>
> This seems to me rather important.
> Are you saying that my setup is wrong?
Yes, although it wouldn't work if you didn't also do it right. You can
have as many different keypairs as you like.
> I find your account with "orginator" and "target" difficult to follow,
> like most of the BackupPC documentation and tutorials.
There are two machines involved. The command originates where the ssh
command is executed - in this case the backuppc server. The account
originating the command must have read access to the private part of the
key pair - in this case the backuppc user. No other account or machine
should be able to read or have a copy of the private part of the key.
Therefore, the key pair should have been created by running ssh-keygen
as the backuppc user on the backuppc server. The remote side or target
is the one accepting the command via sshd, in this case the client of
backuppc. As sshd accepts the connection, it will look for the public
part of the key under .ssh in the home directory of the user you
specified for the connection, in this case root. Sshd will use the
public key it finds there to verify the identity of the connecting user
by asking it to do something only possible if the connecting user has
read access to the private part of the key. Therefore the relevant
public key (made as the backuppc user on the backuppc server) needs to
be in root's home directory on the clients, appended to
.ssh/authorized_keys or .ssh/authorized_keys2. Again, this doesn't
have much to do with backuppc. It is the way ssh works with any remote
command.
> As far as I am concerned, there is a BackupPC server,
> which is the machine backuppc (and httpd) is running on,
> and there are clients, which are the machines I am backing up.
>
> I'm only interested at this moment in how ssh is used
> in conjunction with BackupPC.
>
> Assuming that BackupPC is set up and running on the server,
> this is what I do to add a client to the BackupPC system.
>
> 1. Start sshd running on the client:
> $ sudo service sshd restart
> $ sudo chkconfig sshd on
>
> 2. Set up ssh as root on the client
> $ su
> $ Password:
> # ssh-keygen
> ...
This is unnecessary on the client. You only need to generate one
keypair as backuppc on the server, and use the public part on all the
clients.
> 3. Copy root's public key from the client to the server
> # cd
> # cd .ssh
> # scp id_rsa.pub helen:/tmp/
> ["helen" is my server.]
>
> 4. On the server, copy the key to ~backuppc
> $ sudo su -c /bin/sh backuppc
> $ cd
> $ cd .ssh
> $ cat /tmp/id_rsa.pub >> authorized_keys
No, this would let you issue ssh commands as root on the client in the
form 'ssh -lbackuppc backuppc_server command'.
> 5. Check that all is working by running (still as backuppc on the server)
> $ ssh -l root mary
> ["mary" is the client.]
This test is correct, and if it completes without a password prompt you
must have also set up the keys in the right direction.
--
Les Mikesell
lesmikesell AT gmail DOT com
------------------------------------------------------------------------------
_______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
|
| <Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: [BackupPC-users] sshd on client?, (continued)
- Re: [BackupPC-users] sshd on client?, Nils Breunese (Lemonbit)
- Re: [BackupPC-users] sshd on client?, Timothy Murphy
- Re: [BackupPC-users] sshd on client?, Nils Breunese (Lemonbit)
- Re: [BackupPC-users] sshd on client?, Holger Parplies
- Re: [BackupPC-users] sshd on client?, Timothy Murphy
- Re: [BackupPC-users] sshd on client?, Les Mikesell
- Re: [BackupPC-users] sshd on client?, Timothy Murphy
- Re: [BackupPC-users] sshd on client?,
Les Mikesell <=
- Re: [BackupPC-users] sshd on client?, Timothy Murphy
- Re: [BackupPC-users] sshd on client?, Les Mikesell
- Re: [BackupPC-users] sshd on client?, Holger Parplies
- Re: [BackupPC-users] sshd on client?, Timothy Murphy
- Re: [BackupPC-users] sshd on client?, Nils Breunese (Lemonbit)
- Re: [BackupPC-users] sshd on client?, Timothy Murphy
- Re: [BackupPC-users] sshd on client?, Holger Parplies
- Re: [BackupPC-users] sshd on client?, Timothy Murphy
- Re: [BackupPC-users] sshd on client?, Les Mikesell
- Re: [BackupPC-users] sshd on client?, Timothy Murphy
|
|
|
