From: Holger P. <wb...@pa...> - 2008-12-27 16:35:12
|
Hi, Timothy Murphy wrote on 2008-12-27 12:19:48 +0000 [Re: [BackupPC-users] sshd on client?]: > Nils Breunese (Lemonbit) wrote: > >Timothy Murphy wrote: > >> Sorry, /etc/BackupPC/config.pl is 2165 lines long. > >> I've no intention of reading that. > >> Life is too short. so you'd rather spend your and our time discussing why your setup is not working? Well, thanks a lot. Life is too short to bother helping you then. Actually, reading documentation usually *saves* time when you're dealing with something more versatile than an oven knob. > > If you're serious about doing backups, I recommend you really read > > through the configuration. I read all of it and afterwards I > > understood a lot more about how BackupPC works, what it's doing > > exactly and what kind of things can be changed and tweaked. > > You are a guru. > I am just a newbie user. I would summarize differently: Nils wants to rely on his backups doing what they are supposed to, in the most efficient manner. You seem to want to do backups because someone said it's cool. > I feel I am inundated with far too much information. > My RAM is full. I know the feeling. That makes you miss some things that would be important to you - not to get them for free, sadly. > I want to learn the minimum necessary to play music on my laptop. > run BackupPC, etc. You don't *need* to do backups. If you feel it is necessary *for you*, you will need to invest as much time as it takes to get things up and running satisfactorily *for you*. Nobody is saying you need to do a full restore to see if things are working properly. Nobody is saying you need to keep an offsite image of your pool. Nobody is saying you must not use remote root access to obtain your backups. In fact, I'm saying I can't decide for you what you need to do *in your circumstances*. But, trust me, if there were a comprehensive tutorial like you are requesting other people should write for you, it would likely contain the above points. If you write a guide "for dummies", why not make them do things right, even if it means a lot of work for them? At least nobody will complain later on, that something went wrong. > I don't want to tweak anything, unless that is essential. Again: who defines "essential" and how does he define it? For the archives: Nils and Les both correctly pointed out that you generate the ssh key *on the BackupPC server* and copy the *public part* to the authorized_keys file of the target user on the client host(s) you are backing up. I would like to add (again) that using root as the target user means that anyone gaining access to your BackupPC server (as user backuppc) has full root access to your client hosts. This can easily be avoided by instead using a non-priviledged user and setting up 'sudo' for the command neccessary for making backups - if sudo is even needed (if the target user has read permission for everything you want to back up, it isn't). If you also enable *restores* this way, you are probably making it possible for a potential attacker to overwrite /etc/shadow, thus giving him full root access again. You cannot prevent someone who has access to the server as backuppc user from reading (modifying, deleting) all the data in your backups, so protect your server well. In particular, do *not* put gratuitious passwordless ssh keys in ~backuppc/.ssh/authorized_keys on the BackupPC server - you do not need them; in fact this file does not even need to exist. So, while the instructions posted twice by Timothy do not obviously break things, they also solve no problem and potentially cause a security problem (depending on your setup, of course). Hope that helps. Regards, Holger |