5.1 Configure The SSH Tunnel
The rsync backup will be tunneled through SSH. The backup is run as the user backuppc, therefore this user must be able to login to falko-desktop as root without being prompted for a password. Therefore we must exchange public keys to allow password-less logins for backuppc.
First we must log in on falko-desktop on the shell and create a root login (if you don't use Ubuntu you most probably have one already):
falko-desktop:
sudo passwd root
sudo su
Now that you're logged in as root, install OpenSSH and rsync:
falko-desktop:
apt-get install rsync ssh openssh-server
Then create a private/public key pair:
falko-desktop:
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): <-- <ENTER>
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): <-- <ENTER>
Enter same passphrase again: <-- <ENTER>
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
0f:95:00:4b:fd:c3:cc:0b:1f:2b:00:c9:29:bf:ca:4e root@falko-desktop
If you don't have a DNS record for server1.example.com, you should add server1.example.com to /etc/hosts now:
falko-desktop:
vi /etc/hosts
[...] 192.168.0.100 server1.example.com server1 [...] |
Next we create a private/public key pair on server1.example.com. We must do this as the user backuppc!
server1.example.com:
su backuppc
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/var/lib/backuppc/.ssh/id_rsa): <-- <ENTER>
Created directory '/var/lib/backuppc/.ssh'.
Enter passphrase (empty for no passphrase): <-- <ENTER>
Enter same passphrase again: <-- <ENTER>
Your identification has been saved in /var/lib/backuppc/.ssh/id_rsa.
Your public key has been saved in /var/lib/backuppc/.ssh/id_rsa.pub.
The key fingerprint is:
74:20:65:73:47:1c:cb:ba:5d:9b:5d:56:cf:91:1a:1a backuppc@server1.example.com
Then we copy the public key to falko-desktop. Make sure you use falko-desktop's current IP address in the scp command:
server1.example.com:
cp ~/.ssh/id_rsa.pub ~/.ssh/BackupPC_id_rsa.pub
scp ~/.ssh/BackupPC_id_rsa.pub root@192.168.0.213:/root/.ssh/
The authenticity of host '192.168.0.213 (192.168.0.213)' can't be established.
RSA key fingerprint is 9b:66:3e:ce:b4:8d:63:00:ba:87:14:b2:94:03:cb:a8.
Are you sure you want to continue connecting (yes/no)? <-- yes
Warning: Permanently added '192.168.0.213' (RSA) to the list of known hosts.
root@192.168.0.213's password: <-- root password for falko-desktop
BackupPC_id_rsa.pub 100% 410 0.4KB/s 00:00
Next we append backuppc's public key to ~/.ssh/authorized_keys2 on falko-desktop (we do this as root):
falko-desktop:
cat ~/.ssh/BackupPC_id_rsa.pub >> ~/.ssh/authorized_keys2
If you have a proper DNS record for server1.example.com or added it to falko-desktop's /etc/hosts file, you can now open ~/.ssh/authorized_keys2 and add from="server1.example.com" at the beginning of the file. Thus only server1.example.com can enjoy password-less logins. (If server1.example.com cannot be resolved on falko-desktop, then don't add from="server1.example.com")
falko-desktop:
vi ~/.ssh/authorized_keys2
from="server1.example.com" ssh-rsa AAAAB3[...]FMZpdAj8Hs9107tZ97Rq2oO/Zw== backuppc@server1.example.com |
Then copy root@falko-desktop's public key to server1.example.com (make sure you use the correct IP address):
falko-desktop:
scp ~/.ssh/id_rsa.pub root@192.168.0.100:/var/lib/backuppc/.ssh/client_id_rsa.pub
The authenticity of host '192.168.0.100 (192.168.0.100)' can't be established.
RSA key fingerprint is 29:40:1c:c0:40:f8:e1:4c:68:47:36:b3:f3:53:b1:38.
Are you sure you want to continue connecting (yes/no)? <-- yes
Warning: Permanently added '192.168.0.100' (RSA) to the list of known hosts.
root@192.168.0.100's password: <-- root password for server1.example.com
id_rsa.pub 100% 400 0.4KB/s 00:00
Back on server1.example.com, we append root@falko-desktop's public key to ~/.ssh/known_hosts. Make sure you're still logged in as the user backuppc!
server1.example.com:
cat ~/.ssh/client_id_rsa.pub >> ~/.ssh/known_hosts
Then we switch back to the root user and delete /var/lib/backuppc/.ssh/client_id_rsa.pub:
server1.example.com:
su
rm -f /var/lib/backuppc/.ssh/client_id_rsa.pub
Then become backuppc again and change the permissions of the ~/.ssh directory:
server1.example.com:
su backuppc
chmod -R go-rwx ~/.ssh
Do the same on falko-desktop (as root):
falko-desktop:
chmod -R go-rwx ~/.ssh
Then go back to server1.example.com and make sure you're still logged in as backuppc. Run the following test command to see if falko-desktop prompts you for a password. If you did everything right, it shouldn't. (Make sure to use falko-desktop's current IP address!)
server1.example.com:
ssh -l root 192.168.0.213 whoami
The output should simply be
root