HowTo BackupPC SSH Key Authentication Setup For rsync Transfer

From MediaWiki
Jump to navigationJump to search

Overview

This page provides a reference for how to setup SSH key-based authentication for BackupPC rsync file transfer backups with NST. Additional information can be found here: BackupPC SSH Setup.

NST BackupPC Client Setup Example For SSH Key-based Authentication

The steps shown below for SSH key-based authentication assumes that the BackupPC user is set to: "backuppc" and the file transfer backup method is: "rsync". The configuration entries from the main BackupPC configuration file: "/etc/BackupPC/config.pl" are shown for these settings. Our NST BackupPC server has IPv4 Address: "10.222.3.44" and the NST BackupPC client has Host Name: "nst26-mp" and IPv4 Address: "10.222.3.107"

.
.
.
#
# The BackupPC user.
#
$Conf{BackupPCUser} = 'backuppc';
.
.
.
#
# What transport method to use to backup each host.  If you have
# a mixed set of WinXX and linux/unix hosts you will need to override
# this in the per-PC config.pl.
#
$Conf{XferMethod} = "rsync";
.
.
.

Step 1: Log In To The backuppc User Account

Since the backuppc user has no login capability, we will need to run the following for access to the backuppc user home directory: "/var/lib/BackupPC" as the backuppc user.

[root@nst-vm ~]# su - backuppc -s /bin/bash;
[backuppc@nst-vm ~]$ pwd;
/var/lib/BackupPC
[backuppc@nst-vm ~]$


Step 2: Generate The RSA Key Pair

Next we will generate a RSA public / private key pair in directory: "/var/lib/BackupPC/.ssh". Use an "empty" passphrase.

[backuppc@nst-vm ~]$ ssh-keygen -t rsa;
Generating public/private rsa key pair.
Enter file in which to save the key (/var/lib/BackupPC/.ssh/id_rsa): 
Created directory '/var/lib/BackupPC/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /var/lib/BackupPC/.ssh/id_rsa.
Your public key has been saved in /var/lib/BackupPC/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:/+jTXY+lDGyAKkjitGZvfSweE8zE/ILpxt00OtaSNPs backuppc@nst26-mp
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|    o            |
|     +   .       |
|... * . . .      |
|oo.+ B =S  o     |
| =+ + % ..  +   o|
|o .+.%.o  .o + =.|
|  .o.o*o  .o. = .|
|  . ..oE .o..    |
+----[SHA256]-----+
[backuppc@nst-vm ~]$


Step 3: Add The BackupPC Client To The "known_hosts" File

We next create an entry for our NST BackupPC client: "nst26-mp (10.222.3.107)" in file: "/var/lib/BackupPC/.ssh/known_hosts" by logging in via SSH as user: "root" using password authentication.

[backuppc@nst-vm ~]$ ssh root@10.222.222.107;
The authenticity of host '10.222.3.107 (10.222.3.107)' can't be established.
ECDSA key fingerprint is SHA256:XeM2SD/wOoyZ+/vWTjcDCdNShmxnU3S8aBasJeDzTHU.
ECDSA key fingerprint is MD5:cb:f8:14:68:01:1a:cb:f5:b7:02:a4:14:cd:73:21:f5.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.222.3.107' (ECDSA) to the list of known hosts.
root@10.222.3.107's password: 
Last login: Thu Sep 14 11:41:21 2017 from 10.222.3.44

===========================================
= Linux Network Security Toolkit (NST 26) =
===========================================

[backuppc@nst26-mp ~]# exit;
logout
Connection to 10.222.3.44 closed.
[backuppc@nst-vm ~]$

A file listing for directory: "/var/lib/BackupPC/.ssh" should now look similar to the content shown below. Both the "RSA" key pair and the "known_hosts" files have been generated.

[backuppc@nst-vm ~]$ ls -al /var/lib/BackupPC/.ssh;
total 12
drwx------ 2 backuppc backuppc   57 Sep 14 11:48 .
drwxr-x--- 6 backuppc root       74 Sep 14 10:24 ..
-rw------- 1 backuppc backuppc 1679 Sep 14 10:24 id_rsa
-rw-r--r-- 1 backuppc backuppc  399 Sep 14 10:24 id_rsa.pub
-rw-r--r-- 1 backuppc backuppc  176 Sep 14 11:48 known_hosts
[backuppc@nst-vm ~]$

Step 4: Install The Public RSA Key File On The BackupPC Client "authorized_keys" File

Finally, the authorized key file: "/root/.ssh/authorized_keys" for the "root" user on the NST BackupPC client (I.e., nst26-mp - 10.222.3.107) needs to include the backuppc user's RSA public key file created in step: 2. One can log into the client and use an editor to include the key. Alternatively, one can use the following command sequence to install the public RSA key.

[backuppc@nst-vm ~]$ ssh root@10.222.3.107 install -m 700 -d .ssh;
root@10.222.3.107's password:
[backuppc@nst-vm ~]$ cat /var/lib/BackupPC/.ssh/id_rsa.pub | ssh root@10.222.3.107 tee -a .ssh/authorized_keys;
root@10.222.3.107's password:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRYn84CEJaX+5IBvAi793tsRRkjAkt6X2BeG+iX4PLMgIM7eTjUa3J955n+RuzeVVOcSro68nsiRCAEN7
3cH26/gqqZL0My9xVUH+138NMLbdCDO7vs3Ce+K4H8brdDVV32x4Y2YrSDYnhj5VX6xXp7dJcylZalHhRl8TFo2k70wG+VJ48yLB4QbqXmyM25CS6CAO//KXCG0mEM26mEXMaMwXmuTuLVqSoPn2adpdI+YRDe/7wBG60T3saAJtLX5EI6b4hAJKpALxdoJcE8x2IzgCFNQpg7HTBnjAkj1A7LZD9c9DxUgRu/fx
cLhgXfFn9vLCR5YHXUkExRdhe9Rqn backuppc@nst26-mp
[backuppc@nst-vm ~]$