Hi A.J
Thanks for taking the time and the effort to write up your solution ! I
really
appreciate it :)
Unfortunately, still no joy. I assume that I am putzing up somewhere, so I
will give you a summarized log of exactly what I did on my servers.
The two test servers I am using:
'blackhawk' - Red Hat Linux 8 [ server that needs to be backed up]
'firewall' - Red Hat Linux 6.2 [ server that I am using for the 'backups'
(not really, just to test connection)]
When I do the real backup on Saturday, the server to be bached up is on Red
Hat Linux 7.2,
and the serverI will be storing the backup archives on is Red Hat 8.
Action log
----------
1) On firewall machine I created a user called 'backup' using the webmin
interface. The normal
account password was also 'backup'
2) Logged into firewall machine as user backup.
3) ran the 'ssh-keygen' program. Here is the output : ( I accepted the
defaults with spaces )
# ssh-keygen
[backup@firewall backup]$ ssh-keygen
Initializing random number generator...
Generating p: ..++ (distance 18)
Generating q: ...++ (distance 74)
Computing the keys...
Testing the keys...
Key generation complete.
Enter file in which to save the key (/home/backup/.ssh/identity):
Enter passphrase:
Enter the same passphrase again:
Your identification has been saved in /home/backup/.ssh/identity.
*very long number*
backup@firewall
Your public key has been saved in /home/backup/.ssh/identity.pub
4) Checked that 'backup' home directory was not group and world writeable:
$ ls -ld ~backup
drwxr-xr-x 3 backup backup 4096 Feb 21 15:42 /home/backup
5) Chmod the .ssh directory to 700 :
$ ls -ld ~backup/.ssh
drwx------ 2 backup backup 4096 Feb 21 15:43
/home/backup/.ssh
6) Did a listing for ~backup/.ssh to see what was there:
$ ls -l ~backup/.ssh
-rw------- 1 backup backup 530 Feb 21 15:43 identity
-rw-rw-r-- 1 backup backup 334 Feb 21 15:43 identity.pub
-rw------- 1 backup backup 512 Feb 21 15:42 random_seed
( Strange. the file iscalled 'identity' and not id_dsa. I will just
use the file in the
same way, though. )
7) Copied the file 'identity' to 'authorized_keys'
$ cp ~backup/.ssh/identity ~backup/.ssh/authorized_keys
$ ls -ld ~backup/.ssh/
-rw------- 1 backup backup 530 Feb 21 16:03
authorized_keys
-rw------- 1 backup backup 530 Feb 21 15:43 identity
-rw-rw-r-- 1 backup backup 334 Feb 21 15:43 identity.pub
-rw------- 1 backup backup 512 Feb 21 15:42 random_seed
8) Copied the file 'identity' file to the blackhawk server ( Server to be
backed up )
$ scp ~backup/.ssh/identity root@blackhawk:/root/.ssh/backup ( the
file gets copied and
saved as 'backup' in root's .ssh directory
9) Logged onto blackhawk server as root to verify that file was transferred
:
# ls -l /root/.ssh/backup
-rw------- 1 502 502 530 Feb 21 15:45
/root/.ssh/backup
( The ID's for user and group are probably because 'backup' does not
exist on the archive
/ blackhawk server )
10) Ran the following command ( From blackhawk ) as root
# ssh -i /root/.ssh/backup backup@firewall
I still get prompted for a password, and I even made sure that /root/.ssh is
also 700 in permissions.
Can you see any obvious way in which I am going wrong?
Regards, Jason
---------------
----- Original Message -----
From: "A.J. Werkman" <werkman@digifarma.nl>
To: <psyche-list@redhat.com>
Sent: Thursday, February 20, 2003 7:37 PM
Subject: Re: network backups with tar
> I use the following structure:
>
> On the server where I store the backup files I created a user "backup".
>
> Then as the user backup on that machine I did "ssh-keygen". The program
> askes for the key name. I use the default name ( key gets stored in
> ~/.ssh/id_dsa; public key in ~/.ssh/id_dsa.pub). On the question for a
> password, just type <return>. Then you don't have to use a password on the
> system to be backed-up. Be sure the home directory of the user backup is
> not group- and world writable, otherwise key-authentication doesn't work.
> Also be sure the "~/.ssh"-directory has mode 700.
>
> Further I copied the file ~/.ssh/id_dsa to ~/.ssh/authorized_keys. This
way
> the backup user accepts login authentication with the private key made in
> the previous step.
>
> Then I copied the file ~/.ssh/id_dsa to the system to be backed-up and
> renamed it there to /root/.ssh/backup.
>
> To check if everything works login on the system to be backed-up as root.
> Then type: ssh -i /root/.ssh/backup backup@<backupserver>.
> Now you should get a $-prompt on the backup server without being asked for
> a password.
>
> If this works your up and running. To backup your system or directory,
> login on the machine to be backed-up as root or make an entry to the root
> crontab or etc..........
> Type:
> tar cvf - <backup_directory> | ssh -i /root/.ssh/backup
> backup@<backup_server> "dd of=<path_to_backup_dir>/<backupfile>.tar"
> and the process starts.
> A real life example would be:
> cd /home
> tar cvf - . | ssh -i /root/.ssh/backup backup@backup.server.com "dd
> of=homedir.tar"
>
> I haven't thought of any real security flaws in this process. Well another
> user having the private key could delete your backup file. But this can be
> prevented by moving it to a more secure place after the backup is
finished.
>
> Because you use ssh it is even save to do the backup over the insecure
> internet.
>
> Hope this is of help,
>
> Koos.
>
>
>
> At 08:57 20-02-2003 -0800, you wrote:
> >Toni Erdmann writes....
> > >
> > >
> > > ssh can be configured to run without passwords, just with secret keys
> > > and trusted host/users. But I haven't done this yet.
> >
> >Same here.
> >I still use the password, but want to set mine up
> >to use the keys (PGP I assume?), and such.
> >If anyong knows a good "How-To" on that, or wants to
> >start a new threat with instructions, inquiring minds,
> >want to know.
> >
> >(I'm totally lost on the whole PGP concept.)
> >
> >-- Jay Crews
> >jpc@jaycrews.com
> >
> >
> >
> >--
> >Psyche-list mailing list
> >Psyche-list@redhat.com
> >https://listman.redhat.com/mailman/listinfo/psyche-list
>
>
>
> --
> Psyche-list mailing list
> Psyche-list@redhat.com
> https://listman.redhat.com/mailman/listinfo/psyche-list
--
Psyche-list mailing list
Psyche-list@redhat.com
https://listman.redhat.com/mailman/listinfo/psyche-list
