Re: [BackupPC-users] Problem with key generation in Ubuntu 8.04 (LTS)

Sure, ken. Learn and share.

A few points to make your reading easier

* backuppc server needs to log to the client as root without the need of human intervention (to insert a password, for example)

* That's why you now connect with ssh as root with empty password keys.

* empty password keys are not very secure, especialy for root user.

* the link I sent uses a different approach. You ssh as backuppc user and then you sudo to do the backup - $Conf{RsyncClientCmd}. Your rsa keys for backuppc user on both machines don't have password, but the root keys may now have passwords.

* If you could sudo as backuppc to run any command, we will not have gain much.

* Thats where visudo comes to restrict the commands a user can run as root (sudo)

* run visudo to see your actual permissions, and man sudoers for some help.

notice at visudo the line
root ALL=(ALL) ALL
It means root can do all, from anywhere impersonating anyone

Enjoy

PS: Please reply using the backuppc list when you want to ask something about backuppc.
We'll get the help of other members

On Sat, Mar 13, 2010 at 4:39 AM, Kenneth L. Owen <tx836519 AT bellsouth DOT net> wrote:

Hi Luis,

As you have figured out by now, I am not a power user of Linux. I'm
barely able to understand what the HowTo file says to do. I am very
interested in security and trying to improve is why the 'AllowUsers'
line was added to sshd_config. I will study the documents at the link
and, if I can figure out how to do it, I'm very interested in avoiding a
compromise of my system. If I have questions, will you be willing to
guide me a bit more?

Again, thanks for your patience with a neophyte! -- ken

On Sat, 2010-03-13 at 03:17 +0000, Luis Paulo wrote:
> Great.
> Try
> http://backuppc.sourceforge.net/faq/ssh.html#how_can_client_access_as_root_be_avoided
> when you have the time. This way you avoid empty password keys for
> root user. On the other hand, that may not be too important to you, I
> guess.
>
> I have on server: visudo
> Host_Alias LOCAL = <your server name or IP>
> #backuppc LOCAL=NOPASSWD:/bin/tar -c *, /bin/tar -x *
> backuppc LOCAL=NOPASSWD:/bin/tar -c *
>
> and $Conf{TarClientCmd} = /usr/bin/env LC_ALL=C sudo /bin/tar -c -v -f
> - -C $shareName --totals
> $Conf{TarClientRestoreCmd} = '/usr/bin/env LC_ALL=C sudo /bin/tar -x
> -v -f - -C $shareName --totals';
>
> On linux clients, I have: visudo
> #backuppc ALL=NOPASSWD: /usr/bin/rsync --server --sender *
> backuppc ALL=NOPASSWD: /usr/bin/rsync --server *
>
> and $Conf{RsyncClientCmd} = $sshPath -q -x -l backuppc
> $host /usr/bin/sudo /usr/bin/rsync $argList+
> $Conf{RsyncClientRestoreCmd} = '$sshPath -q -x -l backuppc
> $host /usr/bin/sudo $rsyncPath $argList+';
>
> note: you must switch the # on visudo to use restore
>
> Regards
> Luis
>
> On Sat, Mar 13, 2010 at 2:12 AM, Kenneth L. Owen
> <tx836519 AT bellsouth DOT net> wrote:
> > Hi Luis,
> >
> > Just as I thought, it now works!!! Thanks to you for sticking with
> me
> > to find my mistake. Only on a computer can you find twenty ways to
> make
> > the same mistake! -- ken
> >
> >>>> PROBLEM SOLVED <<<
> >

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

_______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List:    https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:    http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/