How can I securely push a UNIX NetBackup client?

This Wiki is brought to you by Backup Central, where you can find the Mr. Backup Blog, Forums, and a mailing list for each forum!
Backup FAQs	Service Providers	Backup Software	Backup Hardware	Backup Book Wiki	Free Stuff	Miscellaneous

A supported method for pushing a NetBackup client to a UNIX sever uses rcp and rsh. This method is insecure, since each client must trust the NetBackup server (via an entry in .rhosts). To make pushing a client more secure, it would be nice to use ssh and scp in place of the "r" utilities. The modification described here does just that.

Requirements:

1. The clients must be running sshd, and sshd must permit (a) root logins, and (b) allow RSA (or DSA for ssh v2) authentication.

2. The NetBackup server which is to push the software

3. There must exist an ssh passkey, with the private key on the server, and the public key in root's authorized_hosts (authorized_hosts2 for ssh2) file on the clients.

The Modification:

Edit the install_client script appropriate to your client's arch/OS. For example, for Solaris 7, this would be: /usr/openv/netbackup/client/Solaris/Solaris7/install_client Rewrite the section defining rcp and rsh to point to your local versions of scp and ssh, as follows:

---begin original---

 # Find the rsh and rcp commands
 if [ -x /usr/net/rsh ] ; then
         RSH=/usr/net/rsh
 elif [ -x /usr/bin/remsh ] ; then
         RSH=/usr/bin/remsh
 ... and so on ...
 else
         /bin/echo Cannot find rsh command
         exit 1
 fi
 
 if [ -x /usr/ucb/rcp ] ; then
         RCP=/usr/ucb/rcp
 elif [ -x /usr/bsd/rcp ] ; then
         RCP=/usr/bsd/rcp
 else
         /bin/echo Cannot find rcp command
         exit 1
 fi
 
 ---end original---

If ssh and scp are installed in /usr/local/bin, modify the above sections to read as follows:

 ---begin modified section---
 
 # Modified to use ssh and scp instead of rsh and rcp;
 # unmodified file is install_client.orig -jon  
 #
 # Find the ssh and scp commands
 if [ -x /usr/local/bin/ssh ] ; then
         RSH=/usr/local/bin/ssh
 else
         /bin/echo Cannot find ssh command
         exit 1
 fi 
 
if [ -x /usr/local/bin/scp ] ; then
        RCP=/usr/local/bin/scp
 else
         /bin/echo Cannot find scp command
         exit 1
 fi
 # End modified section
 
 ---end modified section---

Example:

Once you've made that change to any client you want to push, you can install clients via scp/ssh easily enough:

(add clients to NetBackup, but don't let it push the clients) (put public key on all clients, private key on NB server)

1. ssh-agent bash

 bash # ssh-add backup-key      # if "backup-key" is the name of your    key...
 Need passphrase for backup-key
 Enter passphrase for jon@tweety.main.gnac.com
 Identity added: backup-key (jon@tweety.main.gnac.com)
 bash # /usr/openv/netbackup/bin/install_client_files rsh ALL  # really ssh!
      192.168.2.1 ...
 Client 192.168.2.1 -- Solaris hardware running Solaris2.6
 Installing NetBackup software on 192.168.2.1
 ...

One final note: it is possible to push a client using ssh with passwords, but you'll have to type in the password a few dozen times for each client. If you only need to push one client, it's marginally bearable.

Jonathan Tourtellot Global Networking and Computing (GNAC)