Kenneth L. Owen wrote: > Hello Rob, > > Thanks for taking the time to look at this and reply. I am learning, but > still have a ways to go before I can serve at your capacity! > > I read over your reply and have a few added pieces and some questions: (All > of this was the same when I successfully created the keys before the crash.) > > 1. Before I started setting up pass-phraseless keys for BackupPC, I had > already created ssh keys that would allow me to log in remotely between the > two Linux workstations as normal user 'ken'. Root logon is not allowed. > Once I logon, I can su to 'root', if needed. The keys that allow this exist > on both machines in /home/ken/.ssh/known_hosts. This is working fine just > like it was the first time I created the backuppc keys. > 2. This is a rebuild of a previously working system. This is the exact > same sequence (as best as I can determine) of the first time I set up these > keys. I took my directions, both times, step by step from > http://www.howtoforge.com/linux_backuppc_p4 > 3. I also have httpd setup for secure connections between the two Linux > workstations (https:). I can log into BackupPC GUI as 'ken' on "Archiver", > but cannot log in to BackupPC from "WinServer" as 'ken', nor could I do so > before when every thing else was working. It may be that I am not doing it > correctly. In both cases, I enter "https://Archiver/BackupPC/ <enter>' into > my browser's url space. Sounds like your webserver is denying access to any machine but localhost. I can't tell you exactly how to fix this, but look through your config files for "localhost" or "127.0.0.1". Check /etc/backuppc/apache.conf
> 4. Your first comment "[EMAIL PROTECTED] does not need a keypair > unless..." may be correct, but it was setup this way the first time and it > caused no problem. It wouldn't cause a problem. I just wanted to let you know so you don't go searching for your solution in that step. > 5. Your second comment "FYI, you do not need to conceal finger prints" > is well taken. I was not trying to conceal so much as cut down on unneeded > data and typing. Understood. > 6. Your third comment was "This whole section is not needed for > BackupPC. What you've done here is allowed [EMAIL PROTECTED] to log in as > [EMAIL PROTECTED], and I don't think that's what you meant to do." > I take it that I don't need to send (scp) the key id_rsa.pub to Archiver > for BackupPC to be able to access WinServer. But I don't understand that > root would be logging in as 'backuppc' user!! If [EMAIL PROTECTED] creates a keypair, and puts the public key in /var/lib/BackupPC/.ssh/authorized_keys on 192.168.1.106 (I think that's what you did), then you're allowing [EMAIL PROTECTED] to log in using public key authentication to 192.168.1.106 as user backuppc. This is because you put the key in user backuppc's authorized_keys file. (the backuppc user's home directory is /var/lib/BackupPC) > 7. The forth comment is where I have the most trouble following you. > "Yes, because it is the fingerprint of the server (it is not user-specific). > FYI, the RSA key it is referencing is in /etc/ssh/ (it's probably called > ssh_host_rsa_key.pub). > > The first time you were asked this question, you were scp'ing as root. Now > you are ssh'ing as a different user. That is why you're being asked the > question again. Each user gets the opportunity to accept or reject the > validity of a server's public key (by verifying that the fingerprint is > correct). This information is recorded in the user's ~/.ssh/known_hosts > file." > > I checked /etc/ssh/ and do have both ssh_host_rsa_key.pub and > ssh_host_dsa_key.pub. > > In step 1, the fingerprint was 'fe:a0:.:7b:9e' and but that is the key > generation on WinServer that you said was not needed. My mistake in > referencing this. The only keys I am aware of on Archiver for this process > of creating keys exist at /var/lib/BackupPC/.ssh and should be the keys used > by backuppc user. > > When I did the scp of the Archiver key to WinServer, I was working as > 'backuppc', not 'root'. When I was testing at the end, I was 'backuppc' > reqesting logon to WinServer with 'root' authority, as I understand it. The > last time I set up the keys, I did not get the 'password' prompt, but just > got a reply of 'root' from WinServer. (Actual transcript below.) > > [EMAIL PROTECTED] ~]$ su - > Password: > [EMAIL PROTECTED] ~]# su -s /bin/bash - backuppc > -bash-3.2$ ssh -l root WinServer whoami > root > -bash-3.2$ > OK, I got a little lost in your original email I guess. This might help a little: There are 2 sets of keys in use here. One set is the server's keys. The system creates these keys when the ssh server is installed. These identify the server and this is what is referenced when you get the message "authenticity of host cannot be established...". That message provides you with the fingerprint of the public key for the server, and it is up to you to verify it. Note that each user who connects to that server for the first time will get that message. The other set of keys is the user's key pair. These are created with the ssh-keygen command, and they are used for authentication purposes (in place of password authentication). If a user places his public key in the ~/.ssh/authorized_keys file on another machine, that gives him the ability to log into that other machine as that particular user (whichever user's home directory he put the keys in). So I could put my public key in /home/rob/.ssh/authorized_keys and in /var/lib/backuppc/.ssh/authorized_keys and in /root/.ssh/authorized_keys and that would allow me to log in as "rob", "backuppc", and "root" on that server. > Does it matter if the BackupPC service is running? I think it was stopped > when I created the keys this time. > No, that doesn't matter. So what's the problem you're having again? The only error message I see is "ABORTED DUE TO FAILURE", but that's because you hit ctrl-c when asked if you were sure you wanted to connect. -Rob > -----Original Message----- > From: Rob Owens [mailto:[EMAIL PROTECTED] > Sent: Wednesday, December 03, 2008 10:30 AM > To: General list for user discussion,questions and support > Subject: Re: [BackupPC-users] I broke perfection ... > > > > Kenneth L. Owen wrote: >> Back in October, I was a Linux newbie struggling to get BackupPC to work >> and was successful in a very short time with the great support I got >> here (Ref: Almost Working). Since then, I've monitored the system > >>>>> Deleted text <<<< > > Yes, because it is the fingerprint of the server (it is not > user-specific). FYI, the RSA key it is referencing is in /etc/ssh/ > (it's probably called ssh_host_rsa_key.pub). > > The first time you were asked this question, you were scp'ing as root. > Now you are ssh'ing as a different user. That is why you're being asked > the question again. Each user gets the opportunity to accept or reject > the validity of a server's public key (by verifying that the fingerprint > is correct). This information is recorded in the user's > ~/.ssh/known_hosts file. > > -Rob > >> Are you sure you want to continue connecting (yes/no)? ^C <<<=== >> ABORTED DUE TO FAILURE >> >> -bash-3.2$ >> > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > BackupPC-users mailing list > BackupPC-users@lists.sourceforge.net > List: https://lists.sourceforge.net/lists/listinfo/backuppc-users > Wiki: http://backuppc.wiki.sourceforge.net > Project: http://backuppc.sourceforge.net/ ******************************************************** The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the addressee, any disclosure, reproduction, copying, distribution, or other dissemination or use of this transmission in error please notify the sender immediately and then delete this e-mail. E-mail transmission cannot be guaranteed to be secure or error free as information could be intercepted, corrupted lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard copy version. ******************************************************** ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List: https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki: http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
