From: Les M. <le...@fu...> - 2008-12-27 23:05:13
|
Timothy Murphy wrote: > >>> This seems to me rather important. >>> Are you saying that my setup is wrong? >> Yes, although it wouldn't work if you didn't also do it right. You can >> have as many different keypairs as you like. > > I'm not sure what you are saying. I'm saying that making keypairs on the client won't break anything, but they also aren't going to allow backuppc to work. > I tried the instructions I gave on a laptop which hadn't been used > with BackupPC, and they seem to work, > ie after running them I can backup a directory on the client OK. > I didn't give any other relevant instructions on client or server. Backuppc isn't really relevant as it just uses the ssh setup in the way you can run any command. You should only be able to execute a remote command (any command) without a password if you have put the public part of a keypair in the home directory of the user where sshd will be accepting the command and the matching private part is stored under the account where the ssh command is issued. >>> I find your account with "orginator" and "target" difficult to follow, >>> like most of the BackupPC documentation and tutorials. >> There are two machines involved. The command originates where the ssh >> command is executed - in this case the backuppc server. The account >> originating the command must have read access to the private part of the >> key pair - in this case the backuppc user. > > My humble suggestion is that you consider using the terms > "BackupPC server" and "BackupPC client", which to my mind are unambiguous. You don't seem to get the point that ssh can run any command, starting as any user and running as any user on another machine, but for the case you want to use today, the private key part has to be on the backuppc server and the public one on the client. > I find when reading documentation on applications involving > more than one computer > that I often do not know which computer the author is referring to. The machines generally treat each other equally - you could run commands either or both ways with appropriate key setup. >> No other account or machine >> should be able to read or have a copy of the private part of the key. >> Therefore, the key pair should have been created by running ssh-keygen >> as the backuppc user on the backuppc server. The remote side or target >> is the one accepting the command via sshd, in this case the client of >> backuppc. As sshd accepts the connection, it will look for the public >> part of the key under .ssh in the home directory of the user you >> specified for the connection, in this case root. Sshd will use the >> public key it finds there to verify the identity of the connecting user >> by asking it to do something only possible if the connecting user has >> read access to the private part of the key. Therefore the relevant >> public key (made as the backuppc user on the backuppc server) needs to >> be in root's home directory on the clients, appended to >> .ssh/authorized_keys or .ssh/authorized_keys2. Again, this doesn't >> have much to do with backuppc. It is the way ssh works with any remote >> command. > > Is it not possible that running "ssh -l root <client>" on the server > actually sets up the connection appropriately for BackupPC? No, it should ask for a password if it doesn't find matching keys. -- Les Mikesell les...@gm... |