Hi
I really struggled to get this working. I thought it might be a good
idea to update the section.
I've edited the ssh section to tailor it specifically to cater for
an unprivileged user 'backuppc'
I've included it below, it may be useful to some and hopefully it
could be incorporated in the documentation to make it easier for
users to set this up in future.
The text follows below:
Rsync via OpenSSH using non-privileged user 'backuppc'
Depending upon your OpenSSH installation, many of these steps can
be replaced by running the scripts ssh-user-config
and ssh-host-config
included with
OpenSSH. You still need to manually exchange the public keys.
- BackupPC Server key
generation (Do this only
once)
- As the BackupPC user
(__BACKUPPCUSER__), create a public ssh key on the server.
ssh-keygen -t rsa
- As a password, you would type
nothing (just enter) if you wish BackupPC to start
automatically.
- This will save the public key in
~/.ssh/id_rsa.pub
and the private
key in ~/.ssh/id_rsa
, (the home
folder of backuppc) if you don't specify another location.
Make a copy of the public key to avoid confusing it with the
client
keys on the client machines (see later) to make it recognizable,
eg:
cp ~/.ssh/id_rsa.pub ~/.ssh/BackupPC_id_rsa.pub
- See the
ssh
and sshd
manual pages for extra configuration information.
Client Non-privileged user Backuppc creation (Do this on each
client PC)
As root on the client machine, create a user called 'backuppc'
useradd backuppc
As root, now make a home directory for backuppc
mkdir /home/backuppc
As root, make a directory for backuppc's ssh configuration
mkdir /home/backuppc/.ssh
As root use visudo to create a sudoers file for backuppc, but
with
permissions only to run rsync.
visudo -f /etc/sudoers.d/backuppc
Copy the following text in the file and save it
#Sudoers file for backuppc user to run rsync
backuppc ALL=NOPASSWD: /usr/bin/rsync
- Client
Key generation (Do this on each Client PC)
- As root on the client machine,
use
ssh-keygen
to generate a
public/private key pair:
ssh-keygen -t rsa
- This will save the public key in
~/.ssh/id_rsa.pub
and the private
key in ~/.ssh/id_rsa
, if you don't
specify another location. As a password, you would type nothing
(just enter) if you wish BackupPC to start automatically.
Make a copy of the public key to avoid confusing it with other
client
keys on the backuppc server to make it recognizable, eg:
cp ~/.ssh/id_rsa.pub ~/.ssh/Fred-pc_id_rsa.pub (if the machine name is Fred-pc)
- Name each public key on each
client uniquely, so that they are not confused with other
client's keys when copied onto the server.
-
- Key
exchange
- On Each Client:
- To allow BackupPC to ssh to the
client as the non-privileged user backuppc, you need to place
the server BackupPC's public key into the backuppc user's
authorized list on the client. As root, append BackupPC's public
key (
BackupPC_id_rsa.pub
) to
backuppc's /home/backuppc
/.ssh/authorized_keys2
file on the
client:
touch /home/backuppc/.ssh/authorized_keys2
cat BackupPC_id_rsa.pub >> /home/backuppc/authorized_keys2
- You should edit
/home/backuppc/.ssh/authorized_keys2
and add further specifiers, eg: from, to limit which hosts can
login using this key. For example, if your BackupPC host is
called backuppc.my.com
, there
should be one line in ~/.ssh/authorized_keys2
that looks like:
from="backuppc.my.com" ssh-rsa [base64 key, eg: ABwBCEAIIALyoqa8....]
- On BackupPC Server
- You need to place each client's
public key into backuppc's
~/.ssh/known_hosts
file, otherwise you will get a
Host key verification failed.
- error, and backuppc will not be
able to log into the client. To place the client key into the
~/.ssh/known_hosts
file, you need to do
this (make sure ~/.ssh/client_id_rsa.pub
is the client's public key, which needs to be copied from the
client):
- As user backuppc
touch ~/.ssh/known_hosts
cat ~/.ssh/Fred-pc_rsa.pub >> ~/.ssh/known_hosts
- Repeat this step to add each
client's key i.e. Mary-pc_rsa.pub and whatever the other keys
are named.
- Fix
permissions
- You will probably need to make
sure that all the files in
~/.ssh
have no group or other read/write permission:
chmod -R go-rwx ~/.ssh
- You should do the same thing for
the BackupPC user on the server.
- Testing
- As the BackupPC user on the
server, verify that this command:
ssh -l backuppc clientHostName whoami
- prints
backuppc
- You might be prompted the first
time to accept the client's host key and you might be prompted
for backuppc's password on the client. Make sure that this
command runs cleanly with no prompts after the first time. You
might need to check
/etc/hosts.equiv
on the client. Look at the man pages for more information. The -v
option to ssh is a good way to get
detailed information about what fails.
The above configuration means that the only command that backuppc
can
run is rsync.
You will have to set the RsyncClientCmd to be something like:
$Conf{RsyncClientCmd} = '$sshPath -l backuppc $host nice -n 19 sudo $rsyncPath $argList+';
In this case the backup is niced so that it doesn't give such a
performance hit on the client. The same setup works for tar.
Cheers
Angus