[BackupPC-users] Setup of rsync via SSH with unprivileged user 'backuppc'

[Angus K. <an...@tr...>]

Hi

I really struggled to get this working. I thought it might be a good 
idea to update the section.

I've edited the ssh section to tailor it specifically to cater for an 
unprivileged user 'backuppc'

I've included it below, it may be useful to some and hopefully it could 
be incorporated in the documentation to make it easier for users to set 
this up in future.

The text follows below:

*Rsync via OpenSSH using non-privileged user 'backuppc'*

Depending upon your OpenSSH installation, many of these steps can be 
replaced by running the scripts |ssh-user-config| and |ssh-host-config| 
included with OpenSSH. You still need to manually exchange the public keys.

*BackupPC Server key generatio***n***(Do this only once)*
    As the BackupPC user (__BACKUPPCUSER__), create a public ssh key on
    the server.

     ssh-keygen -t rsa

    As a password, you would type nothing (just enter) if you wish
    BackupPC to start automatically.
    This will save the public key in |~/.ssh/id_rsa.pub| and the private
    key in |~/.ssh/id_rsa|, (the home folder of backuppc) if you don't
    specify another location. 

Make a copy of the public key to avoid confusing it with the client keys 
on the client machines (see later) to make it recognizable, eg:


     cp ~/.ssh/id_rsa.pub ~/.ssh/BackupPC_id_rsa.pub

    *See the |ssh| and |sshd| manual pages for extra configuration
    information.*

*Client Non-privileged user Backuppc creation (Do this on each client PC)*

As root on the client machine, create a user called 'backuppc'

                 useradd backuppc

As root, now make a home directory for backuppc

                 mkdir /home/backuppc

As root, make a directory for backuppc's ssh configuration

                 mkdir /home/backuppc/.ssh

As root use visudo to create a sudoers file for backuppc, but with 
permissions only to run rsync.

                 visudo -f /etc/sudoers.d/backuppc

Copy the following text in the file and save it

                 #Sudoers file for backuppc user to run rsync

                 backuppc ALL=NOPASSWD: /usr/bin/rsync

*Client Key generation **(Do this on each Client PC)*
    As root on the client machine, use |ssh-keygen| to generate a
    public/private key pair:

    ssh-keygen -t rsa

    This will save the public key in |~/.ssh/id_rsa.pub| and the private
    key in |~/.ssh/id_rsa|, if you don't specify another location. As a
    password, you would type nothing (just enter) if you wish BackupPC
    to start automatically.

Make a copy of the public key to avoid confusing it with other client 
keys on the backuppc server to make it recognizable, eg:


     cp ~/.ssh/id_rsa.pub ~/.ssh/Fred-pc_id_rsa.pub (if the machine name is Fred-pc)

    Name each public key on each client uniquely, so that they are not
    confused with other client's keys when copied onto the server.


*Key exchange*
    *On Each Client:*
    To allow BackupPC to ssh to the client as the non-privileged user
    backuppc, you need to place the server BackupPC's public key into
    the backuppc user's authorized list on the client. As root, append
    BackupPC's public key (|BackupPC_id_rsa.pub|) to backuppc's
    |/home/backuppc||/.ssh/authorized_keys2| file on the client:

     touch /home/backuppc/.ssh/authorized_keys2
     cat BackupPC_id_rsa.pub >> /home/backuppc/authorized_keys2

    You should edit |/home/backuppc/.ssh/authorized_keys2| and add
    further specifiers, eg: from, to limit which hosts can login using
    this key. For example, if your BackupPC host is called
    |backuppc.my.com|, there should be one line in
    |~/.ssh/authorized_keys2| that looks like:

     from="backuppc.my.com" ssh-rsa [base64 key, eg: ABwBCEAIIALyoqa8....]

    *On BackupPC Server*
    You need to place each client's public key into backuppc's
    |~/.ssh/known_hosts| file, otherwise you will get a

     Host key verification failed.

    error, and backuppc will not be able to log into the client. To
    place the client key into the |~/.ssh/known_hosts| file, you need to
    do this (make sure |~/.ssh/client_id_rsa.pub| is the client's public
    key, which needs to be copied from the client):
    As user backuppc

     touch ~/.ssh/known_hosts
     cat ~/.ssh/Fred-pc_rsa.pub >> ~/.ssh/known_hosts

    Repeat this step to add each client's key i.e. Mary-pc_rsa.pub and
    whatever the other keys are named.
*Fix permissions*
    You will probably need to make sure that all the files in |~/.ssh|
    have no group or other read/write permission:

     chmod -R go-rwx ~/.ssh

    You should do the same thing for the BackupPC user on the server.
*Testing*
    As the BackupPC user on the server, verify that this command:

     ssh -l backuppc clientHostName whoami

    prints

     backuppc

    You might be prompted the first time to accept the client's host key
    and you might be prompted for backuppc's password on the client.
    Make sure that this command runs cleanly with no prompts after the
    first time. You might need to check |/etc/hosts.equiv| on the
    client. Look at the man pages for more information. The |-v| option
    to ssh is a good way to get detailed information about what fails.

The above configuration means that the only command that backuppc can 
run is rsync.

You will have to set the RsyncClientCmd to be something like:

     $Conf{RsyncClientCmd}  <http://backuppc.sourceforge.net/faq/BackupPC.html#item__conf_rsyncclientcmd_>  = '$sshPath -l backuppc $host nice -n 19 sudo $rsyncPath $argList+';

In this case the backup is niced so that it doesn't give such a 
performance hit on the client. The same setup works for tar.


Cheers
Angus