mirroring with rsync (mulitple servers)

Discussion in 'HOWTO-Related Questions' started by edpatterson, Apr 2, 2009.

  1. edpatterson

    edpatterson New Member

    The tutorial worked just fine for a single server. Then I attempted to add another by generating a key, copying it to the source server and appending it to the authorized_keys file. I duplicated everything only changing the hostname of the target machine.
    Now when I try to sync I get a message that smartcards are not supported and am prompted for the password. Entering the password on the original machine works, from the second one fails.

    I have 14 squid servers and am looking for a way to sync the url lists. I thought rsync would be a nice lightweight (easy on the brain) way to do it.

    Ideas on what I did wrong or possibly a better/easier way?

    Thanks,
    Ed
     
  2. falko

    falko Super Moderator

    Does it work if you remove the "command="/home/someuser/rsync/checkrsync",from="mirror.example.com",no-port-forwarding,no-X11-forwarding,no-pty" part from all lines in authorized_keys?
     
  3. edpatterson

    edpatterson New Member

    No, I deleted everything up to ssh-dss. It still reports no support for smartcards and requests the password.
     
  4. falko

    falko Super Moderator

    What's your rsync command?

    Also, did you compare your setup with the tutorial? Maybe you've made a typo somewhere?
     
  5. edpatterson

    edpatterson New Member

    It worked fine when I first did the tutorial. Then I attempted to add another machine a week or so and a bunch of successful sync's later. That is when the problem started.
    Here is what I did to break it.
    Built another server
    Created a ssh key-pair (ssh-keygen -t dsa -b 1024 -f /root/rsync/server3-rsync-key)
    Copied the server3-rsync-key.pub to server1:/home/rsyncer/.ssh/
    Added the key to the existing authorized_keys file (cat server3-rsync-key.pub >> authorized_keys)
    Prepended 'command="/home/rsyncer/rsync/checkrsync", from="server3", no-port-forwarding,no-X11-forwarding,no-pty'
    Then from server3
    rsync -avz -e "ssh -I /root/rsync/server3/rsync/server3-rsync-key" rsyncer@server1:/tmp/sync-test
    The smartcard error and prompt for password, no files transfered.
    I am thinking that maybe you can not have more than one line in the authorized_keys file. But then that would make it authorized_key.
    I will try to look up more info on ssh. It seemed to me like it would work.
     
  6. falko

    falko Super Moderator

    No, that's not true. You can have more than one line in that file. I'm using rsync mirroring with multiple servers at the same time.
     
  7. edpatterson

    edpatterson New Member

    OK, I have gone to the source (literally) and am reading all I can find. I obviously screwed something up.

    Another different but related question. Do the ssh keys use the IP address? I am going to be building all my servers at one location then rolling them out. I generate the keys as part of the build/test process. Will I need to regenerate the keys when they change subnets?
     
  8. falko

    falko Super Moderator

    No, that's not necessary.
     
  9. edpatterson

    edpatterson New Member

    OK, this is getting personal :)

    I copied the how-to into an editor and changed the server1 and mirror names to reflect the actual names I am using. I redid the whole thing from scratch. On the final step it is asking for the unprivilidged users password (listadmin in my case). Everything works if I enter the password.

    I am somewhat confused why I generated a passwordless key set then told ssh to use a different users account.

    Am I getting closer?
     
  10. falko

    falko Super Moderator

    Can you remove the part from post #2 and try again?
     
  11. edpatterson

    edpatterson New Member

    It just keeps getting better and better.

    I created another unpriviledged account on the source server. It has no .ssh directory. I then ran the rsync command:
    rsync -avz -e "ssh -i/root/rysnc/scflf005-rsync-key" sync2@scflf001:/etc/squid/lists/ /etc/squid/lists/
    It asked for the password for sync2. When I entered it the files sync'd.

    The key I generated was for root on scflf005 and that is the account I issued the rsync command from. It appears it ignored the whole key thing and granted the sync based upon the sync2 password.

    I then copied the passwordless public key (same one as before) to sync2@scflf001:/home/.ssh and copied it to authorized_keys (cat >> authorized_keys). Added a line to one of the lists and reran the command. It sync'd without asking for a password.

    This leads me to believe that the problem for me is either in my checkrsync file or what I am prepending to the public key.

    Thanks for your continued support! I'll add the peices a little at a time to see where it breaks.
     
  12. edpatterson

    edpatterson New Member

    The saga continues...
    A refresher, I have 2 unpriviledged accounts listadmin & rsync2 on my main server scflf001. listadmin is the account that the delvelopers use to ftp the new lists to the server with. They are uploaded to it's home directory and a shell script copies them out to the correct location. I would like to use listadmin as well for the rsync process. This would limit the number of users on the main server to 3; root, listadmin and myself. The other servers will have only root and myself.

    I am prompted for a password everytime I try to use listadmin@scflf001. If I use the sync2@scflf001 it works as expected. I deleted the authorized_keys file and the scflf005-rsync-key.pub file from listadmin's .ssh directory and copied the ones from rysnc2. I am still promped for a password if I use listadmin@scflf001. I deleted the authorized_keys and .pub file from rsync2's .ssh directory, copied them back from listadmin. It works, no password needed.

    What could it be about the listadmin account that causes the process to request a password? I do not have anything prepended to the authorized_keys file.

    Lastly, -avz causes the the owner and group to be set to 1003, I am assuming that would be the users number on the main server.
     
  13. falko

    falko Super Moderator

    I have no idea why this isn't working for you. :(
     
  14. edpatterson

    edpatterson New Member

    Me neither, but being of superiour intelligence I figured that if it works with userA and not userB, then I would simply use userA and move on to bigger and better things. :)

    I really do appreciate all your trouble!
    Ed
     
  15. falko

    falko Super Moderator

    :D Nice one! :)
     

Share This Page