Backup Central

Hi Guys and Gals,

I've been running BackupPC for a couple of years now. I started when I
first moved my computing to Linux. It was really tough getting it up
the first time because I was dumber than a newbie! But once up and
running, it works great.

Anyway, I am faced with having to rebuild the system. All has gone
pretty well up to the point of creating my ssh keys. I'm using the same
instructions that I used for both the original build on Fedora and the
long running system on Ubuntu 8.04 (LTS). The problem is that when I
try to scp the keys between machines, the root password is not accepted.

On both the server and the client, I created a root password. On both,
su and entering the password elevates my session to root. On the
server, I switch to 'backuppc' user and create the key pair. When I try
to scp the public key to the client, the root password is not accepted.

I spent the entire day running between the machines trying to get this
to work. I also have the transcript of the last time I set it up and
cannot find anywhere that I am doing different.

Does anyone have an idea what I am missing? -- ken


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
BackupPC-users mailing list
BackupPC-users < at > lists.sourceforge.net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/

try to gen new keys in ubuntu server, probaly your keys still in package openssh-blacklist (sorry i dont remember the name of packet)
try to search for ssh keys blacklist probaly this is the probleman
sorry i dont speak english but the probleman is that.

2010/3/10 Kenneth L. Owen <tx836519 < at > bellsouth.net ([email]tx836519 < at > bellsouth.net[/email])>
Hi Guys and Gals,

I've been running BackupPC for a couple of years now.  I started when I
first moved my computing to Linux.  It was really tough getting it up
the first time because I was dumber than a newbie!  But once up and
running, it works great.

Anyway, I am faced with having to rebuild the system.  All has gone
pretty well up to the point of creating my ssh keys.  I'm using the same
instructions that I used for both the original build on Fedora and the
long running system on Ubuntu 8.04 (LTS).  The problem is that when I
try to scp the keys between machines, the root password is not accepted.

On both the server and the client, I created a root password.  On both,
su and entering the password elevates my session to root.  On the
server, I switch to 'backuppc' user and create the key pair.  When I try
to scp the public key to the client, the root password is not accepted.

I spent the entire day running between the machines trying to get this
to work.  I also have the transcript of the last time I set it up and
cannot find anywhere that I am doing different.

Does anyone have an idea what I am missing?  -- ken


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
BackupPC-users mailing list
BackupPC-users < at > lists.sourceforge.net ([email]BackupPC-users < at > lists.sourceforge.net[/email])
List:    https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:    http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/

Look at your /etc/ssh/sshd_config

You may have, for example, PermitRootLogin set to no (I think it is now the default)

Any way, for ssh backups you only need ssh between backupc users on both machines if you follow http://backuppc.sourceforge.net/faq/ssh.html#how_can_client_access_as_root_be_avoided

Hope it helps
Luis

On Thu, Mar 11, 2010 at 2:44 AM, Kenneth L. Owen <tx836519 < at > bellsouth.net ([email]tx836519 < at > bellsouth.net[/email])> wrote:
Hi Guys and Gals,

I've been running BackupPC for a couple of years now.  I started when I
first moved my computing to Linux.  It was really tough getting it up
the first time because I was dumber than a newbie!  But once up and
running, it works great.

Anyway, I am faced with having to rebuild the system.  All has gone
pretty well up to the point of creating my ssh keys.  I'm using the same
instructions that I used for both the original build on Fedora and the
long running system on Ubuntu 8.04 (LTS).  The problem is that when I
try to scp the keys between machines, the root password is not accepted.

On both the server and the client, I created a root password.  On both,
su and entering the password elevates my session to root.  On the
server, I switch to 'backuppc' user and create the key pair.  When I try
to scp the public key to the client, the root password is not accepted.

I spent the entire day running between the machines trying to get this
to work.  I also have the transcript of the last time I set it up and
cannot find anywhere that I am doing different.

Does anyone have an idea what I am missing?  -- ken


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
BackupPC-users mailing list
BackupPC-users < at > lists.sourceforge.net ([email]BackupPC-users < at > lists.sourceforge.net[/email])
List:    https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:    http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/

So,
you may tell us exactly the scp command you are trying (or use ssh-copy-id command instead, which I recommend).

I would still try to connect between two non root users to see if it also doesn't work

Are you creating rsa files with or without password?

Wrong permissions for the .ssh dir may also be the problem.
$ chmod 700 ~/.ssh$ chmod 600 ~/.ssh/authorized_keysRemember to restart ssh after changes

maybe show us your client /etc/ssh/sshd_config if none of the above helps/work (check for AllowUsers directives, etc)

Luis

PS: I guess you are planning to use
$Conf{RsyncClientCmd} = '$sshPath -q -x -l root $host $rsyncPath $argList+';


On Thu, Mar 11, 2010 at 2:48 PM, Kenneth L. Owen <tx836519 < at > bellsouth.net ([email]tx836519 < at > bellsouth.net[/email])> wrote:
Hi Luis,

I thought you had the answer!  But when I checked, I found the files are
set to allow root logon.  -- ken

On Thu, 11 Mar 2010, Kenneth L. Owen wrote:

Again, no error and prompted for root password which is not accepted.

I have root passwords for both of these machines and have no problem
elevating to root to execute all other functions.

Are root logins disabled? check /etc/ssh/sshd_config, in the
Authentication section.


Mike


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
BackupPC-users mailing list
BackupPC-users < at > lists.sourceforge.net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/

Hi, ken
Sorry for the delay.

I can't understand why the root password is not accepted.
You may try the -v switch, as in

scp -v ~/.ssh/BackupPC_id_rsa.pub root < at > 192.168.1.101:/root/.ssh/

Next is my sshd_config. See if it helps
-------------------------------------------------
# cat /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd( manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel VERBOSE

# Authentication:
LoginGraceTime 20
#PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSTok en no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes

AllowGroups sshlogin
-------------------------------------------------

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
BackupPC-users mailing list
BackupPC-users < at > lists.sourceforge.net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/

Sure, ken. Learn and share.

A few points to make your reading easier

* backuppc server needs to log to the client as root without the need of human intervention (to insert a password, for example)

* That's why you now connect with ssh as root with empty password keys.

* empty password keys are not very secure, especialy for root user.

* the link I sent uses a different approach. You ssh as backuppc user and then you sudo to do the backup - $Conf{RsyncClientCmd}. Your rsa keys for backuppc user on both machines don't have password, but the root keys may now have passwords.

* If you could sudo as backuppc to run any command, we will not have gain much.

* Thats where visudo comes to restrict the commands a user can run as root (sudo)

* run visudo to see your actual permissions, and man sudoers for some help.

notice at visudo the line
root    ALL=(ALL) ALL
It means root can do all, from anywhere impersonating anyone

Enjoy

PS: Please reply using the backuppc list when you want to ask something about backuppc.
We'll get the help of other members

On Sat, Mar 13, 2010 at 4:39 AM, Kenneth L. Owen <tx836519 < at > bellsouth.net ([email]tx836519 < at > bellsouth.net[/email])> wrote:
Hi Luis,

As you have figured out by now, I am not a power user of Linux.  I'm
barely able to understand what the HowTo file says to do.  I am very
interested in security and trying to improve is why the 'AllowUsers'
line was added to sshd_config.  I will study the documents at the link
and, if I can figure out how to do it, I'm very interested in avoiding a
compromise of my system.  If I have questions, will you be willing to
guide me a bit more?

Again, thanks for your patience with a neophyte!  -- ken


On Sat, 2010-03-13 at 03:17 +0000, Luis Paulo wrote:
Great.
Try
http://backuppc.sourceforge.net/faq/ssh.html#how_can_client_access_as_root_be_avoided
when you have the time. This way you avoid empty password keys for
root user. On the other hand, that may not be too important to you, I
guess.

I have on server: visudo
Host_Alias      LOCAL = <your server name or IP>
#backuppc        LOCAL=NOPASSWD:/bin/tar -c *, /bin/tar -x *
backuppc        LOCAL=NOPASSWD:/bin/tar -c *

and $Conf{TarClientCmd} = /usr/bin/env LC_ALL=C sudo /bin/tar -c -v -f
- -C $shareName --totals
$Conf{TarClientRestoreCmd} = '/usr/bin/env LC_ALL=C sudo /bin/tar -x
-v -f - -C $shareName --totals';

On linux clients, I have: visudo
#backuppc ALL=NOPASSWD: /usr/bin/rsync --server --sender *
backuppc ALL=NOPASSWD: /usr/bin/rsync --server *

and $Conf{RsyncClientCmd} = $sshPath -q -x -l backuppc
$host /usr/bin/sudo /usr/bin/rsync $argList+
$Conf{RsyncClientRestoreCmd} = '$sshPath -q -x -l backuppc
$host /usr/bin/sudo $rsyncPath $argList+';

note: you must switch the # on visudo to use restore

Regards
Luis

On Sat, Mar 13, 2010 at 2:12 AM, Kenneth L. Owen
<tx836519 < at > bellsouth.net ([email]tx836519 < at > bellsouth.net[/email])> wrote:
Hi Luis,

Just as I thought, it now works!!!  Thanks to you for sticking with
me
to find my mistake.  Only on a computer can you find twenty ways to
make
the same mistake!  -- ken

PROBLEM SOLVED <<<

Hi, Les

I don't know how to restrict with ssh what commands backuppc user can run as root, that's why I use visudo/sudoers

I use backuppc user with sudo to do the backup so I may have keys with passphrase for ssh as root (or not allow ssh as root at all).

As I understood it, this way, even if you allow root to ssh, to gain control with ssh as root, you'll need the public key and the passphrase.

To gain access as backuppc user, you only need the key, but you can't gain control as root because of visudo limitations. Unless, as I think you meant, you allow restore as sudo, then you gain nothing. So I don't allow direct restore. (btw, is there a way to remove that option from the gui?)

Of course, I can do that because I use BackupPC to backup my machines, so I am the only user. And I can even change visudo temporarly to allow direct restore if I really want it.

Do I make sense?

Of course, if I had users, a way for each user to do direct restores only to their homes as themselves would be nice, I guess. But I don't see how.

Luis

On Mon, Mar 15, 2010 at 11:05 PM, Les Mikesell <lesmikesell < at > gmail.com ([email]lesmikesell < at > gmail.com[/email])> wrote:
On 3/13/2010 9:47 AM, Luis Paulo wrote:

* the link I sent uses a different approach. You ssh as backuppc user
and then you sudo to do the backup - $Conf{RsyncClientCmd}. Your rsa
keys for backuppc user on both machines don't have password, but the
root keys may now have passwords.

* If you could sudo as backuppc to run any command, we will not have
gain much.

* Thats where visudo comes to restrict the commands a user can run as
root (sudo)


Ssh is equally capable of restricting the commands that can be run
directly.  But either way, if you allow files to be restored as root,
someone who has the ssh key and understands the process basically owns
the machine.

--
  Les Mikesell
   lesmikesell < at > gmail.com ([email]lesmikesell < at > gmail.com[/email])


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
BackupPC-users mailing list
BackupPC-users < at > lists.sourceforge.net ([email]BackupPC-users < at > lists.sourceforge.net[/email])
List:    https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:    http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/

On 03/16 02:18 , Luis Paulo wrote:
I don't know how to restrict with ssh what commands backuppc user can run as
root, that's why I use visudo/sudoers

Here's an example authorized_keys file with restrictions on what command may be
run. This is how I invoke sudo; by putting this in the .ssh directory of a
new user called 'rsyncbakup' or the like. Note that this all needs to be on
one line, with no line breaks; and of course the actual key has been
clobbered with 'A's.

no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="sudo /usr/bin/rsync --server --sender -logDtpr --exclude='/proc' --exclude='/mnt' --exclude='/sys' --exclude='/tmp' --exclude='/var/tmp' --exclude='/var/cache/apt/archives' --exclude='/var/spool/exim' --exclude='/var/log/' --delete --numeric-ids --block-size=2048 . /" ssh-dss AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA user < at > example.tld


--
Carl Soderstrom
Systems Administrator
Real-Time Enterprises
www.real-time.com

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
BackupPC-users mailing list
BackupPC-users < at > lists.sourceforge.net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/

Thanks, Carl

I'll have to look a little better to it.
I kind of undestand the no-port-forwarding,no-X11-forwarding,no-agent-forwarding part, the rsync command, the key (not sure about what is dss), and at the end the backuppc server name, I think

I'm looking again to the sshd man, and I'll try it

Note: This may seem a bit off topic, but we are still talking about ssh and key generation on BackupPC, now mostly about security options, right?

Regards
Luis

On Tue, Mar 16, 2010 at 4:51 PM, Carl Wilhelm Soderstrom <chrome < at > real-time.com ([email]chrome < at > real-time.com[/email])> wrote:
On 03/16 02:18 , Luis Paulo wrote:
I don't know how to restrict with ssh what commands backuppc user can run as
root, that's why I use visudo/sudoers


Here's an example authorized_keys file with restrictions on what command may be
run. This is how I invoke sudo; by putting this in the .ssh directory of a
new user called 'rsyncbakup' or the like. Note that this all needs to be on
one line, with no line breaks; and of course the actual key has been
clobbered with 'A's.

no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="sudo /usr/bin/rsync --server --sender -logDtpr --exclude='/proc' --exclude='/mnt' --exclude='/sys' --exclude='/tmp' --exclude='/var/tmp' --exclude='/var/cache/apt/archives' --exclude='/var/spool/exim' --exclude='/var/log/' --delete --numeric-ids --block-size=2048 . /" ssh-dss AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA user < at > example.tld


--
Carl Soderstrom
Systems Administrator
Real-Time Enterprises
www.real-time.com


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
BackupPC-users mailing list
BackupPC-users < at > lists.sourceforge.net ([email]BackupPC-users < at > lists.sourceforge.net[/email])
List:    https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:    http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/

On 03/16 09:31 , Luis Paulo wrote:
Note: This may seem a bit off topic, but we are still talking about ssh and
key generation on BackupPC, now mostly about security options, right?

It's related to ssh keys certainly. Are you wondering if it's time to change the
message subject?

--
Carl Soderstrom
Systems Administrator
Real-Time Enterprises
www.real-time.com

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
BackupPC-users mailing list
BackupPC-users < at > lists.sourceforge.net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/

First, thank you again for showing how to restrict commands with ssh.

It's a very tight solution. you just do ssh and the command runs. Ok.

Regarding the previous talk, you still need to allow the backup user to sudo with visudo, right? If you want automated backups, that is.

And phraseless keys if you don't use an agent, isn't it?

About the topic, I guess we could keep this for increasing security for ssh with phraseless keys until it goes, but yes, I was just wondering.

I'll start another topic for using an agent on a server without X.
That's because, as I remember, when I had backuppc server on a machine with X, it was quite easy to make the gnome-agent send the key. The only thing was the need to insert a key on boot, what could be a problem on a power event.

I never was able to do that with ssh-agent.

Regards
Luis

On Tue, Mar 16, 2010 at 10:12 PM, Carl Wilhelm Soderstrom <chrome < at > real-time.com ([email]chrome < at > real-time.com[/email])> wrote:
On 03/16 09:31 , Luis Paulo wrote:
Note: This may seem a bit off topic, but we are still talking about ssh and
key generation on BackupPC, now mostly about security options, right?


It's related to ssh keys certainly. Are you wondering if it's time to change the
message subject?

--

Carl Soderstrom
Systems Administrator
Real-Time Enterprises
www.real-time.com

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
BackupPC-users mailing list
BackupPC-users < at > lists.sourceforge.net ([email]BackupPC-users < at > lists.sourceforge.net[/email])
List:    https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:    http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/

On 03/17 01:07 , Luis Paulo wrote:
Regarding the previous talk, you still need to allow the backup user to sudo
with visudo, right? If you want automated backups, that is.

correct. something like this in your /etc/sudoers:

rsyncbakup ALL= NOPASSWD: /usr/bin/rsync

And phraseless keys if you don't use an agent, isn't it?

Correct.

--
Carl Soderstrom
Systems Administrator
Real-Time Enterprises
www.real-time.com

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
BackupPC-users mailing list
BackupPC-users < at > lists.sourceforge.net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/

Ok. Thanks

On Wed, Mar 17, 2010 at 1:37 AM, Carl Wilhelm Soderstrom <chrome < at > real-time.com ([email]chrome < at > real-time.com[/email])> wrote:
On 03/17 01:07 , Luis Paulo wrote:
Regarding the previous talk, you still need to allow the backup user to sudo
with visudo, right? If you want automated backups, that is.


correct. something like this in your /etc/sudoers:

rsyncbakup ALL= NOPASSWD: /usr/bin/rsync

And phraseless keys if you don't use an agent, isn't it?


Correct.

--

Carl Soderstrom
Systems Administrator
Real-Time Enterprises
www.real-time.com

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
BackupPC-users mailing list
BackupPC-users < at > lists.sourceforge.net ([email]BackupPC-users < at > lists.sourceforge.net[/email])
List:    https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:    http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/