Backup Central

Hello,

as the subject says, I'm trying to setup a client for BackupPC.
I already have some linux clients that are working fine, the
passwordless login with ssh (rsa keys etc.) works fine.

The machine I try to setup is a linux machine that is also a mail
server, with direct connection to the internet. So we have root logins
disabled, as a further hurdle to take for an intruder.

But, this breaks the key-authorization thing, so ssh will ask for a
password, and obviously fail.

Is there any way to do pubkey authorization for backuppc, but still have
no root logins for other people?

Maybe 2 sshd's running on that server, one listening on the outside
port, with PermitRootLogin=no , and one on the inside with
PermitRootLogin=yes. But that feels ugly...

Or I try an rsyncd instead, and close that port to the outside world
with iptables.

Thnx for your help,

Oliver








-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
BackupPC-users mailing list
BackupPC-users < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/backuppc-users
http://backuppc.sourceforge.net/

On 06/29 05:02 , Oliver Freyd wrote:
Is there any way to do pubkey authorization for backuppc, but still have
no root logins for other people?

create a separate user (perhaps 'pcbackup') which will be the login account,
and actually run the rsync command.
then add a line like this to your /etc/sudoers:

# allow backup user to run rsync as root
pcbackup ALL= NOPASSWD: /usr/bin/rsync

add the appropriate entries to ~pcbackup/.ssh/authorized_keys:
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="sudo /usr/bin/rsync --server --sender -logDtpr --exclude='/proc' --exclude='/sys' --exclude='/tmp' --exclude='/mnt' --delete --numeric-ids --block-size=2048 . /"

sort out the small oversights in my description here, and you should be good
to go.

--
Carl Soderstrom
Systems Administrator
Real-Time Enterprises
www.real-time.com


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
BackupPC-users mailing list
BackupPC-users < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/backuppc-users
http://backuppc.sourceforge.net/

Oliver Freyd wrote:

Is there any way to do pubkey authorization for backuppc, but still hav=
e
no root logins for other people?

Maybe 2 sshd's running on that server, one listening on the outside
port, with PermitRootLogin=3Dno , and one on the inside with
PermitRootLogin=3Dyes. But that feels ugly...

What I do is set

PermitRootLogin without-password

This way you can't log in with the root password, you can only log in wit=
h
permitted authentication keys. You can also then restrict the use of a
key to only one host in ~root/.ssh/authorized_keys2 by prepending the key
with

from=3D"backuppc.host.name"

-Dave



-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
BackupPC-users mailing list
BackupPC-users < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/backuppc-users
http://backuppc.sourceforge.net/