Hello, I'm trying to create tape archives of host A on a tapedrive on host B. More specifically, I'm trying to create a script to make this as simple as possible for my boss.
Unfortunately (for my configuration) it appears that the --rsh option only accepts a path to an executable. This contrasts with the --rsh option of the rsync command, which works successfully with my configuration. I believe my configuration/requirements to be fairly standard (by security wonks), and I want to request that the --rsh semantics be changed (or for advice on how I can do this with existing tar)... About the configuration requirements: 1. The archive of host A needs to contain all the filesystem metadata (ownership, mode, symlinks) and needs to include private files (ie mode 0600). 2. Host B does not allow rsh connections, nor ssh connections to the root account. (We use sudo for almost all root-permission tasks.) 3. There's no need for the tape backup system to have any more access to host B other than allowing a login only from host A and having read/write access to the tape drive. I've encountered a similar problem in creating a network snapshot tool (an extensive wrapper around rsync), but it was fairly easy to handle. I met the above requirements like this: Requirement 1 requires the reading process (tar or rsync) to have root permission. (Any other approach?) Requirement 2 requires the reading process to connect B using ssh as a non-root user. Requirement 3 requires the write process to be launched on B (for the snapshot tool this is root via sudo, for the tape backups it should just be a user with access to the tape drive). For the snapshot tool, I create a "snapshot" user on B, which has a ~snapshot/.ssh/authorized_keys file which allows logins only from A. The /etc/sudoers file only allows the snapshot user to run the one command required for the snapshots (rsync). The secret ssh key on A has no password (because the snapshot tool is non-interactive). I convince rsync to meet all these goals by passing the option "--rsh='ssh -i ~snapshot/.ssh/snapshot_key_without_password.secret -u snapshot'". When rsync runs I assume it appends whatever the remote command is to this option value. However, if I try this with gnu tar (v 1.14) it complains that no such executable is found. The gnu tar handling seems simpler and somehow "safer" to me, but less flexible. Is there a way to handle this configuration without resorting to demanding the reading versus writing process have the same user name on both hosts? (Short of changing the --rsh semantics to act like rsync...) One solution would be to use a pipe through ssh, but I'm not sure what goes on the remote end. Something like: n host A, run "sudo tar -czf - /data | ssh [EMAIL PROTECTED] ???"... Thanks for listening to my problem, and for any advice, Nathan _______________________________________________ Bug-tar mailing list [email protected] http://lists.gnu.org/mailman/listinfo/bug-tar
