- Add the 'mybackuppc' user to the machine that is being backed up. I try to avoid using "backuppc" as the username in case a common dictionary attack occurs. Then, create a SSH key pair on the client as the 'mybackuppc' user (do not enter a password):
useradd mybackuppc -c "Backup User"
su - mybackuppc
ssh-keygen -t rsa
exit
- Add the 'mybackuppc' user to the client's sudoers file using
visudo
to give the user sudo rights as follows:
mybackuppc ALL=(ALL) NOPASSWD: /usr/bin/rsync --server *
Defaults:mybackuppc !requiretty - Copy 'backuppc' users public key from the backup server:
/var/lib/backuppc/.ssh/id_
rsa.pub) to the mybackuppc's auth keys file on the client ( /home/mybackuppc/.ssh/
authorized_keys - SSH from the BackuPC server to the client once as the backuppc user (su - backuppc; ssh -l mybackuppc $host) to get the RSA fingerprint into the backup server's /var/lib/backuppc/.ssh/known_hosts file:
bash-3.2$ /usr/bin/ssh -l mybackuppc client-host
The authenticity of host 'client-host (x.x.x.x)' can't be established.
RSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'client-host, x.x.x.x' (RSA) to the list of known hosts.
[mybackuppc@client-host ~]$ exit
logout
Connection to client-host closed. - Use the BackupPC web interface to add a new host. Notice in the comments at the bottom of the page that you can easily copy an existing host, or just add one from scratch with the defaults. You don't have to use an valid name available via DNS if you make sure the name is in /etc/hosts on the backup server. Alternatively, you could create a config file on the Backup Server in /etc/BackupPC/pc/ and then add them to /etc/BackupPC/hosts file.
- Use the BackupPC server's web interface to initiate a full backup of the new client machine.
Monday, June 27, 2011
BackupPC client quickstart with improved security
To embellish and improve upon http://backuppc.sourceforge.net/faq/ssh.html#how_can_client_access_as_root_be_avoided I've been using the following procedure: