Hi, ken
1- You must replace <backuppc-server name> with your server IP or name in
Host_Alias LOCAL = <backuppc-server name>
something like
Host_Alias LOCAL = 192.168.1.101
> root <<--- Is this correct for the visudo method?
This is correct for the ssh command ( ssh -l root 192.168.1.101 )
Visudo (file sudoers) only care about what users can do when running (or
trying to run) commands su or sudo. It as nothing to do with connecting to
the machine.
2- Required: You must have to be able to do ssh between backuppc users among
both machines.
from server you should be able to run
$ su - backuppc
$ ssh backu...@192.168.1.106
With the second command *you should be able to* connect to the client
without any request for password or passphrase
3- Last, you'll have to change your ClientCmd's to something like:
on 192.168.1.101 (tar method)
$Conf{TarClientCmd} = /usr/bin/env LC_ALL=C sudo /bin/tar -c -v -f - -C
$shareName --totals
$Conf{TarClientRestoreCmd} = '/usr/bin/env LC_ALL=C sudo /bin/tar -x -v -f -
-C $shareName --totals';
on 192.168.1.106 (rsync method)
$Conf{RsyncClientCmd} = $sshPath -q -x -l backuppc $host /usr/bin/sudo
$rsyncPath $argList+;
$Conf{RsyncClientRestoreCmd} = '$sshPath -q -x -l backuppc $host
/usr/bin/sudo $rsyncPath $argList+';
Again, visudo cames here to only allow backuppc user on client to run only
the command /usr/bin/rsync --server --sender *, without password, as root (
that is, only that and nothing else as root without the need of the root
password),
and to allow backuppc user on server the same, but for /bin/tar -c * only.
try, for instance, sudo ls. --> Sorry, user backuppc is not allowed to
execute '/bin/ls' as root on ...
To allow restore command you have to extend the visudo permissions, what may
be a security risk, as stated in
http://backuppc.sourceforge.net/faq/ssh.html#how_can_client_access_as_root_be_avoided
Regards
Luis
On Sun, Mar 14, 2010 at 10:41 PM, Kenneth L. Owen <tx836...@bellsouth.net>wrote:
> Hi Luis (and others),
>
> I've taken a little time to study the visudo approach to running
> BackupPC instead of using phrase-less keys for root logon at the client
> machine. This is a much lower risk, indeed.
>
> On Ubuntu, Vim is the default editor for visudo with Vim-tiny included
> in the distribution. When I tried to use Vim-tiny, I got some strange
> results! I closed the session without save and upgraded to Vim-full.
> The full version editor worked like it should.
>
> I edited the sudoers file on the backuppc_server as follows:
> # --------------backuppc-server machine sudoers -------------
> # /etc/sudoers
> #
> # This file MUST be edited with the 'visudo' command as root.
> #
> # See the man page for details on how to write a sudoers file.
> #
>
> Defaults env_reset
>
> # Uncomment to allow members of group sudo to not need a password
> # %sudo ALL=NOPASSWD: ALL
>
> # Host alias specification
> Host_Alias LOCAL = <backuppc-server name>
>
> # User alias specification
>
> # Cmnd alias specification
>
> # User privilege specification
> root ALL=(ALL) ALL
>
> # Uncomment the first line and comment the second to
> # to RESTORE client. Switch them back after restore.
> # backuppc LOCAL=NOPASSWD: /bin/tar -c *, /bin/tar -x *
> backuppc LOCAL=NOPASSWD: /bin/tar -c *
>
> # Members of the admin group may gain root privileges
> %admin ALL=(ALL) ALL
> # ----------------- end backuppc-server sudoers --------------
>
> I ran a backup (tar method) on the server's home directory just to check
> that the server and backuppc were communicating. It ran fine.
>
> Next, I edited the sudoers file on the client machine as follows:
> -------------- client machine sudoers ------------------------
> # /etc/sudoers
> #
> # This file MUST be edited with the 'visudo' command as root.
> #
> # See the man page for details on how to write a sudoers file.
> #
>
> Defaults env_reset
>
> # Uncomment to allow members of group sudo to not need a password
> # %sudo ALL=NOPASSWD: ALL
>
> # Host alias specification
>
> # User alias specification
>
> # Cmnd alias specification
>
> # User privilege specification
> root ALL=(ALL) ALL
>
> # Uncomment the first line and comment the second to
> # to RESTORE client. Switch them back after restore.
> # backuppc ALL=NOPASSWD: /usr/bin/rsync --server --sender *
> backuppc ALL=NOPASSWD: /usr/bin/rsync --server *
>
> # Members of the admin group may gain root privileges
> %admin ALL=(ALL) ALL
> ----------- end client sudoers ------------------------------
>
> Then, I created my ssh keys for the rsync transfer between the
> backuppc-server and the client machines. If I understand things
> correctly, I create two sets of keys similar to the root logon method
> except that, for this method, the BackupPC key is phrase-less like
> before, but the root key from the client machine can have a strong
> password. The key generation seemed to go well with no errors.
>
> When I ran the command
> ssh -l root 192.168.1.101 whoami
> the response was:
> root <<--- Is this correct for the visudo method?
>
> When I tried to run a full backup on the client I got the "failed to
> read 4 bytes" error message indicating that the keys are bad or missing
> or that I didn't do something else right.
>
> Anyone see where I botched the switch over? -- ken
>
>
>
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> BackupPC-users mailing list
> BackupPC-users@lists.sourceforge.net
> List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
> Wiki: http://backuppc.wiki.sourceforge.net
> Project: http://backuppc.sourceforge.net/
>
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
