Re: [BackupPC-users] Problem with converting to visudo method keys
2010-03-14 20:44:34
Hi, ken
1- You must replace <backuppc-server name> with your server IP or name in Host_Alias LOCAL = <backuppc-server name> something like Host_Alias LOCAL = 192.168.1.101
> root <<--- Is this correct for the visudo method?
This is correct for the ssh command ( ssh -l root 192.168.1.101 ) Visudo (file sudoers) only care about what users can do when running (or trying to run) commands su or sudo. It as nothing to do with connecting to the machine.
2- Required: You must have to be able to do ssh between backuppc users among both machines.
from server you should be able to run $ su - backuppc $ ssh [email protected] With the second command you should be able to connect to the client without any request for password or passphrase
3- Last, you'll have to change your ClientCmd's to something like:
on 192.168.1.101 (tar method) $Conf{TarClientCmd} = /usr/bin/env LC_ALL=C sudo /bin/tar -c -v -f - -C $shareName --totals $Conf{TarClientRestoreCmd} = '/usr/bin/env LC_ALL=C sudo /bin/tar -x -v -f - -C $shareName --totals';
on 192.168.1.106 (rsync method) $Conf{RsyncClientCmd} = $sshPath -q -x -l backuppc $host /usr/bin/sudo $rsyncPath $argList+; $Conf{RsyncClientRestoreCmd} = '$sshPath -q -x -l backuppc $host /usr/bin/sudo $rsyncPath $argList+';
Again, visudo cames here to only allow backuppc user on client to run only the command /usr/bin/rsync --server --sender *, without password, as root ( that is, only that and nothing else as root without the need of the root password),
and to allow backuppc user on server the same, but for /bin/tar -c * only.
try, for instance, sudo ls. --> Sorry, user backuppc is not allowed to execute '/bin/ls' as root on ...
To allow restore command you have to extend the visudo permissions, what may be a security risk, as stated in http://backuppc.sourceforge.net/faq/ssh.html#how_can_client_access_as_root_be_avoided
Regards Luis
On Sun, Mar 14, 2010 at 10:41 PM, Kenneth L. Owen <tx836519 AT bellsouth DOT net> wrote:
Hi Luis (and others),
I've taken a little time to study the visudo approach to running
BackupPC instead of using phrase-less keys for root logon at the client
machine. This is a much lower risk, indeed.
On Ubuntu, Vim is the default editor for visudo with Vim-tiny included
in the distribution. When I tried to use Vim-tiny, I got some strange
results! I closed the session without save and upgraded to Vim-full.
The full version editor worked like it should.
I edited the sudoers file on the backuppc_server as follows:
# --------------backuppc-server machine sudoers -------------
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
# Uncomment to allow members of group sudo to not need a password
# %sudo ALL=NOPASSWD: ALL
# Host alias specification
Host_Alias LOCAL = <backuppc-server name>
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL) ALL
# Uncomment the first line and comment the second to
# to RESTORE client. Switch them back after restore.
# backuppc LOCAL=NOPASSWD: /bin/tar -c *, /bin/tar -x *
backuppc LOCAL=NOPASSWD: /bin/tar -c *
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# ----------------- end backuppc-server sudoers --------------
I ran a backup (tar method) on the server's home directory just to check
that the server and backuppc were communicating. It ran fine.
Next, I edited the sudoers file on the client machine as follows:
-------------- client machine sudoers ------------------------
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
# Uncomment to allow members of group sudo to not need a password
# %sudo ALL=NOPASSWD: ALL
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL) ALL
# Uncomment the first line and comment the second to
# to RESTORE client. Switch them back after restore.
# backuppc ALL=NOPASSWD: /usr/bin/rsync --server --sender *
backuppc ALL=NOPASSWD: /usr/bin/rsync --server *
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
----------- end client sudoers ------------------------------
Then, I created my ssh keys for the rsync transfer between the
backuppc-server and the client machines. If I understand things
correctly, I create two sets of keys similar to the root logon method
except that, for this method, the BackupPC key is phrase-less like
before, but the root key from the client machine can have a strong
password. The key generation seemed to go well with no errors.
When I ran the command
ssh -l root 192.168.1.101 whoami
the response was:
root <<--- Is this correct for the visudo method?
When I tried to run a full backup on the client I got the "failed to
read 4 bytes" error message indicating that the keys are bad or missing
or that I didn't do something else right.
Anyone see where I botched the switch over? -- ken
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev _______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
|
|
|