HowTo BackupPC SSH Key Authentication Setup For rsync Transfer

From MediaWiki
Revision as of 08:41, 15 September 2017 by Rwh (talk | contribs)
Jump to navigationJump to search

Overview

This page provides a reference for how to setup SSH key-based authentication for BackupPC rsync file transfer backups with NST. Additional information can be found here: BackupPC SSH Setup.

NST BackupPC Client Setup Example For SSH Key-based Authentication

The steps shown below for SSH key-based authentication assumes that the BackupPC user is set to: "backuppc" and the file transfer backup method is: "rsync". The configuration entries from the main BackupPC configuration file: "/etc/BackupPC/config.pl" are shown for these settings. The NST BackupPC server has an IPv4 Address: "10.222.3.44" and the NST BackupPC client has Host Name: "nst26-mp" and IPv4 Address: "10.222.3.107"

.
.
.
#
# The BackupPC user.
#
$Conf{BackupPCUser} = 'backuppc';
.
.
.
#
# What transport method to use to backup each host.  If you have
# a mixed set of WinXX and linux/unix hosts you will need to override
# this in the per-PC config.pl.
#
$Conf{XferMethod} = "rsync";
.
.
.

Step 1: Log In To The backuppc User Account

Since the backuppc user has no login capability, we will need to run the following for access to the backuppc user home directory: "/var/lib/BackupPC" as the backuppc user.

[root@nst-vm ~]# su - backuppc -s /bin/bash;
[backuppc@nst-vm ~]$ pwd;
/var/lib/BackupPC
[backuppc@nst-vm ~]$


Step 2: Generate The RSA Key Pair

Next we will generate a RSA public / private key pair in directory: "/var/lib/BackupPC/.ssh". Use an "empty" passphrase.

[backuppc@nst-vm ~]$ ssh-keygen -t rsa;
Generating public/private rsa key pair.
Enter file in which to save the key (/var/lib/BackupPC/.ssh/id_rsa): 
Created directory '/var/lib/BackupPC/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /var/lib/BackupPC/.ssh/id_rsa.
Your public key has been saved in /var/lib/BackupPC/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:/+jTXY+lDGyAKkjitGZvfSweE8zE/ILpxt00OtaSNPs backuppc@nst26-mp
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|    o            |
|     +   .       |
|... * . . .      |
|oo.+ B =S  o     |
| =+ + % ..  +   o|
|o .+.%.o  .o + =.|
|  .o.o*o  .o. = .|
|  . ..oE .o..    |
+----[SHA256]-----+
[backuppc@nst-vm ~]$


Step 3: Add The BackupPC Client To The "known_hosts" File

We will next create an entry for our NST BackupPC client: "nst26-mp (10.222.3.107)" in file: "/var/lib/BackupPC/.ssh/known_hosts" by logging in via SSH as user: "root" using password authentication.

[backuppc@nst-vm ~]$ ssh root@10.222.3.107;
The authenticity of host '10.222.3.107 (10.222.3.107)' can't be established.
ECDSA key fingerprint is SHA256:XeM2SD/wOoyZ+/vWTjcDCdNShmxnU3S8aBasJeDzTHU.
ECDSA key fingerprint is MD5:cb:f8:14:68:01:1a:cb:f5:b7:02:a4:14:cd:73:21:f5.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.222.3.107' (ECDSA) to the list of known hosts.
root@10.222.3.107's password: 
Last login: Thu Sep 14 11:41:21 2017 from 10.222.3.44

===========================================
= Linux Network Security Toolkit (NST 26) =
===========================================

[root@nst26-mp ~]# exit;
logout
Connection to 10.222.3.44 closed.
[backuppc@nst-vm ~]$

A file listing for directory: "/var/lib/BackupPC/.ssh" should now look similar to the content shown below. Both the "RSA" key pair and the "known_hosts" files have been generated.

[backuppc@nst-vm ~]$ ls -al /var/lib/BackupPC/.ssh;
total 12
drwx------ 2 backuppc backuppc   57 Sep 14 11:48 .
drwxr-x--- 6 backuppc root       74 Sep 14 10:24 ..
-rw------- 1 backuppc backuppc 1679 Sep 14 10:24 id_rsa
-rw-r--r-- 1 backuppc backuppc  399 Sep 14 10:24 id_rsa.pub
-rw-r--r-- 1 backuppc backuppc  176 Sep 14 11:48 known_hosts
[backuppc@nst-vm ~]$

 

Step 4: Install The Public RSA Key File On The BackupPC Client "authorized_keys" File

Finally, the authorized key file: "/root/.ssh/authorized_keys" for the "root" user on the NST BackupPC client (I.e., nst26-mp - 10.222.3.107) needs to include the backuppc user's RSA public key file created in step: 2. One can log into the client and use an editor to include the key. Alternatively, one can use the following command sequence to install the public RSA key.

[backuppc@nst-vm ~]$ ssh root@10.222.3.107 install -m 700 -d .ssh;
root@10.222.3.107's password:
[backuppc@nst-vm ~]$ cat /var/lib/BackupPC/.ssh/id_rsa.pub | ssh root@10.222.3.107 tee -a .ssh/authorized_keys;
root@10.222.3.107's password:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRYn84CEJaX+5IBvAi793tsRRkjAkt6X2BeG+iX4PLMgIM7eTjUa3J955n+RuzeVVOcSro68nsiRCAEN7
3cH26/gqqZL0My9xVUH+138NMLbdCDO7vs3Ce+K4H8brdDVV32x4Y2YrSDYnhj5VX6xXp7dJcylZalHhRl8TFo2k70wG+VJ48yLB4QbqXmyM25CS6CAO//K
XCG0mEM26mEXMaMwXmuTuLVqSoPn2adpdI+YRDe/7wBG60T3saAJtLX5EI6b4hAJKpALxdoJcE8x2IzgCFNQpg7HTBnjAkj1A7LZD9c9DxUgRu/fxcLhgXf
Fn9vLCR5YHXUkExRdhe9Rqn backuppc@nst26-mp
[backuppc@nst-vm ~]$


Step 5: Test The SSH Key-based Authentication

One should now have completed the SSH key-based authentication setup. If done correctly, one should now be able to log into the NST BackupPC client from the "backuppc" user account as the "root" user. There should be no prompt for the "root" password.

[backuppc@nst-vm ~]$ ssh root@10.222.3.107;
Last login: Thu Sep 14 12:22:25 2017 from 10.222.3.44

===========================================
= Linux Network Security Toolkit (NST 26) =
===========================================

[root@nst26-mp ~]# exit;
logout
Connection to 10.222.3.44 closed.
[backuppc@nst-vm ~]$

If successful, using the BackupPC application with transfer method: "rsync" to NST BackupPC client: "nst26-mp - 10.222.3.107" should work properly.

BackupPC Host File Configuration

The following entry can be used in the BackupPC hosts file: "/etc/BackupPC/hosts" for backing up the NST BackupPC client that was demonstrated in this example.

#
# The first non-comment non-empty line gives the field names and should
# not be edited!!
#
host        dhcp    user    moreUsers     # <--- do not edit this line
#farside    0       craig   jill,jeff     # <--- example static IP host entry
#larson     1       bill                  # <--- example DHCP host entry
10.222.3.107 0 root