Back Up Linux And Windows Systems With BackupPC - Page 4

5.1 Configure The SSH Tunnel

The rsync backup will be tunneled through SSH. The backup is run as the user backuppc, therefore this user must be able to login to falko-desktop as root without being prompted for a password. Therefore we must exchange public keys to allow password-less logins for backuppc.

First we must log in on falko-desktop on the shell and create a root login (if you don't use Ubuntu you most probably have one already):

falko-desktop:

sudo passwd root
sudo su

Now that you're logged in as root, install OpenSSH and rsync:

falko-desktop:

apt-get install rsync ssh openssh-server

Then create a private/public key pair:

falko-desktop:

ssh-keygen -t rsa

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
<-- <ENTER>
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
<-- <ENTER>
Enter same passphrase again: <-- <ENTER>
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
0f:95:00:4b:fd:c3:cc:0b:1f:2b:00:c9:29:bf:ca:4e root@falko-desktop

If you don't have a DNS record for server1.example.com, you should add server1.example.com to /etc/hosts now:

falko-desktop:

vi /etc/hosts

[...]
192.168.0.100   server1.example.com server1
[...]

Next we create a private/public key pair on server1.example.com. We must do this as the user backuppc!

server1.example.com:

su backuppc
ssh-keygen -t rsa

Generating public/private rsa key pair.
Enter file in which to save the key (/var/lib/backuppc/.ssh/id_rsa):
<-- <ENTER>
Created directory '/var/lib/backuppc/.ssh'.
Enter passphrase (empty for no passphrase):
<-- <ENTER>
Enter same passphrase again: <-- <ENTER>
Your identification has been saved in /var/lib/backuppc/.ssh/id_rsa.
Your public key has been saved in /var/lib/backuppc/.ssh/id_rsa.pub.
The key fingerprint is:
74:20:65:73:47:1c:cb:ba:5d:9b:5d:56:cf:91:1a:1a [email protected]

Then we copy the public key to falko-desktop. Make sure you use falko-desktop's current IP address in the scp command:

server1.example.com:

cp ~/.ssh/id_rsa.pub ~/.ssh/BackupPC_id_rsa.pub
scp ~/.ssh/BackupPC_id_rsa.pub [email protected]:/root/.ssh/

The authenticity of host '192.168.0.213 (192.168.0.213)' can't be established.
RSA key fingerprint is 9b:66:3e:ce:b4:8d:63:00:ba:87:14:b2:94:03:cb:a8.
Are you sure you want to continue connecting (yes/no)?
<-- yes
Warning: Permanently added '192.168.0.213' (RSA) to the list of known hosts.
[email protected]'s password:
<-- root password for falko-desktop
BackupPC_id_rsa.pub 100% 410 0.4KB/s 00:00

Next we append backuppc's public key to ~/.ssh/authorized_keys2 on falko-desktop (we do this as root):

falko-desktop:

cat ~/.ssh/BackupPC_id_rsa.pub >> ~/.ssh/authorized_keys2

If you have a proper DNS record for server1.example.com or added it to falko-desktop's /etc/hosts file, you can now open ~/.ssh/authorized_keys2 and add from="server1.example.com" at the beginning of the file. Thus only server1.example.com can enjoy password-less logins. (If server1.example.com cannot be resolved on falko-desktop, then don't add from="server1.example.com")

falko-desktop:

vi ~/.ssh/authorized_keys2

from="server1.example.com" ssh-rsa AAAAB3[...]FMZpdAj8Hs9107tZ97Rq2oO/Zw== [email protected] 

Then copy root@falko-desktop's public key to server1.example.com (make sure you use the correct IP address):

falko-desktop:

scp ~/.ssh/id_rsa.pub [email protected]:/var/lib/backuppc/.ssh/client_id_rsa.pub

The authenticity of host '192.168.0.100 (192.168.0.100)' can't be established.
RSA key fingerprint is 29:40:1c:c0:40:f8:e1:4c:68:47:36:b3:f3:53:b1:38.
Are you sure you want to continue connecting (yes/no)?
<-- yes
Warning: Permanently added '192.168.0.100' (RSA) to the list of known hosts.
[email protected]'s password:
<-- root password for server1.example.com
id_rsa.pub 100% 400 0.4KB/s 00:00

Back on server1.example.com, we append root@falko-desktop's public key to ~/.ssh/known_hosts. Make sure you're still logged in as the user backuppc!

server1.example.com:

cat ~/.ssh/client_id_rsa.pub >> ~/.ssh/known_hosts

Then we switch back to the root user and delete /var/lib/backuppc/.ssh/client_id_rsa.pub:

server1.example.com:

su
rm -f /var/lib/backuppc/.ssh/client_id_rsa.pub

Then become backuppc again and change the permissions of the ~/.ssh directory:

server1.example.com:

su backuppc
chmod -R go-rwx ~/.ssh

Do the same on falko-desktop (as root):

falko-desktop:

chmod -R go-rwx ~/.ssh

Then go back to server1.example.com and make sure you're still logged in as backuppc. Run the following test command to see if falko-desktop prompts you for a password. If you did everything right, it shouldn't. (Make sure to use falko-desktop's current IP address!)

server1.example.com:

ssh -l root 192.168.0.213 whoami

The output should simply be

root

Share this page:

2 Comment(s)

Add comment

Comments

From: at: 2009-04-07 19:47:32

make sure to 

touch authorized_keys2 

if the file doesn't exist before doing 

cat ~/.ssh/BackupPC_id_rsa.pub >> ~/.ssh/authorized_keys2

From: at: 2011-03-09 18:01:48

This problem tends to crop up ever so often and users tearing their hair out while troubleshooting it.

When executing this command on the backuppc server:

ssh -l root 192.168.0.213 whoami

Also execute the command with the hostname of the client:

ssh -l root falko-desktop whoami

If the hostname resolves then you will receive a prompt to confirm a rsa key.