Re: [BackupPC-users] ssh and Mac 10.12 Sierra
Hi, Adam Goryachev wrote on 2016-11-30 09:03:01 +1100 [Re: [BackupPC-users] ssh and Mac 10.12 Sierra]: > [...] > > After permitting root log in the sshd_config file, [...] I could do > > an ssh from the BPC server to the mac without password. that is correct - if you are using the root user, root login needs to be *allowed*. It can be forbidden altogether in /etc/ssh/sshd_config (on Linux systems, path may vary on other systems), and that would prevent backups from working. I have no idea how MacOS/X sets this up by default, but it's definitely a thing to check. > > [...] However, it quit quickly, with an ???Unable to read 4 bytes error.??? > However, when I set the client name alias to the ip address, it seems to > have taken. It has been running a backup for 10 minutes, so hopefully that > is it. That is strange. The only things I could think of to explain this would be either a messed up ~backuppc/.ssh/config or messed up DNS resolution, resulting in BackupPC contacting the wrong server or using the wrong options when you specify the host name, both of which sound unlikely. > I would suggest that you revert the ssd_config so that you can benefit > from the improved security of rejecting password based root login. The thing to note here is that /etc/ssh/sshd_config (or wherever that may be on MacOS/X) should probably contain PermitRootLogin without-password whereas PermitRootLogin no *will not work* (for you, that is; people using a different account combined with 'sudo' can even use this setting). PermitRootLogin yes will work but may be less secure. If *you* don't *need* it, don't use it. ***BackupPC does not need or even use it in any case.*** There is a fourth variant which could also be used with BackupPC, but *it would require additional setup*: PermitRootLogin forced-commands-only Since BackupPC may generate different argument lists to rsync, and ssh forced commands only allow one fixed argument string, you would need a wrapper script to accommodate for this case. If you don't understand what I'm talking about, just ignore it and set PermitRootLogin to without-password. I'm just mentioning it, because sshd_config(5) expressly says If this option is set to ``forced-commands-only'', root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). This is correct, but, again, will require additional configuration. To sum it up: PermitRootLogin yes .. ok, less secure no ... not ok without-password . ok, recommended setting forced-commands-only . not ok without additional consideration/configuration Hope that helps. Regards, Holger -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] ssh and Mac 10.12 Sierra
On 30/11/16 07:57, Michael Conner wrote: > On Nov 29, 2016, at 2:22 PM, Michael Stowe >wrote: >> On 2016-11-29 13:54, Michael Conner wrote: >>> It was just an upgrade from 10.11, with which I had no problem. It was >>> running 10.11 when I redid the server to Centos 7 and the key exchange >>> worked ok. What I don’t get is why I can’t manually ssh into root but >>> I can into another user. Until that changes, I don’t know if I also >>> have a key problem. This is beyond me and I have yet to find anything >>> on web with this problem. I have no Linux background, I’ve just picked >>> stuff up as I needed it for getting BPC to work. >>> Mike On Nov 29, 2016, at 11:58 AM, Phil Kennedy wrote: How far of a jump in upgrade did you make to get to Sierra? Apple switched over the sshd_config to use Authorized_keys rather than Authorized_keys2 as the home for trusted keypairs several versions ago. Verify that your sshd config is really doing what you are expecting it to do. WRT key based authentication. ~Phil On Nov 29, 2016 11:42 AM, "Michael Conner" wrote: I maintain a BackupPC system for our small museum, backing up about 10 computers, mostly Windows. BPC is version 3.3.1, running on Centos 7. I just upgraded to Centos 7 earlier this year and got everything working again ok. The one Mac I backup (mine) was just upgraded to 10.12 Sierra and I can no longer get BPC to connect to it. In the past I’ve been able to copy a key using ssh-copy-id -i .ssh/id_dsa.pub root@host_to_backup (at least I think this is the command I’ve used, its from from a tutorial on setting up BPC in Centos). I’ve seen some stuff on the web about differences in keys in Sierra, but what puzzles me most is that I can’t ssh to root on the Mac now. When I try to ssh to it from the BPC server, it keeps asking for the password and ultimately fails. I can ssh into another user, just not root. Has anyone successfully gotten BPC to work with Sierra using rsync and a key? Mike Conner >> Yes, of course. I run Sierra and BackupPC -- I suspect the clue is in your >> "id_dsa.pub." DSA keys have been deprecated in favor of RSA keys. I can't >> say that this is definitively your issue, as I haven't bothered trying to >> set up old DSA keys just to test the theory, but I'd recommend trying it >> with RSA keys instead, since that certainly works as expected. > After permitting root log in the sshd_config file, I changed "ssh-keygen -t > dsa” to "ssh-keygen -t rsa” and did the key copy with "ssh-copy-id -i > .ssh/id_rsa.pub root@host_to_backup” Then I could do an ssh from the BPC > server to the mac without password. At first I thought everything was ok as I > started a full backup and it got an xfer PID. However, it quit quickly, with > an “Unable to read 4 bytes error.” However, when I set the client name alias > to the ip address, it seems to have taken. It has been running a backup for > 10 minutes, so hopefully that is it. > > Thanks for your help. > > Mike Hi Mike, I would suggest that you revert the ssd_config so that you can benefit from the improved security of rejecting password based root login. BackupPC will use key based logins, and so is not affected by this configuration. Regards, Adam -- Adam Goryachev Website Managers www.websitemanagers.com.au -- ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] ssh and Mac 10.12 Sierra
After permitting root log in the sshd_config file, I changed "ssh-keygen -t dsa” to "ssh-keygen -t rsa” and did the key copy with "ssh-copy-id -i .ssh/id_rsa.pub root@host_to_backup” Then I could do an ssh from the BPC server to the mac without password. At first I thought everything was ok as I started a full backup and it got an xfer PID. However, it quit quickly, with an “Unable to read 4 bytes error.” However, when I set the client name alias to the ip address, it seems to have taken. It has been running a backup for 10 minutes, so hopefully that is it. Thanks for your help. Mike > On Nov 29, 2016, at 2:22 PM, Michael Stowe> wrote: > > On 2016-11-29 13:54, Michael Conner wrote: >> It was just an upgrade from 10.11, with which I had no problem. It was >> running 10.11 when I redid the server to Centos 7 and the key exchange >> worked ok. What I don’t get is why I can’t manually ssh into root but >> I can into another user. Until that changes, I don’t know if I also >> have a key problem. This is beyond me and I have yet to find anything >> on web with this problem. I have no Linux background, I’ve just picked >> stuff up as I needed it for getting BPC to work. >> Mike >>> On Nov 29, 2016, at 11:58 AM, Phil Kennedy >>> wrote: >>> How far of a jump in upgrade did you make to get to Sierra? >>> Apple switched over the sshd_config to use Authorized_keys rather than >>> Authorized_keys2 as the home for trusted keypairs several versions ago. >>> Verify that your sshd config is really doing what you are expecting it to >>> do. WRT key based authentication. >>> ~Phil >>> On Nov 29, 2016 11:42 AM, "Michael Conner" wrote: >>> I maintain a BackupPC system for our small museum, backing up about 10 >>> computers, mostly Windows. BPC is version 3.3.1, running on Centos 7. I >>> just upgraded to Centos 7 earlier this year and got everything working >>> again ok. The one Mac I backup (mine) was just upgraded to 10.12 Sierra and >>> I can no longer get BPC to connect to it. In the past I’ve been able to >>> copy a key using ssh-copy-id -i .ssh/id_dsa.pub root@host_to_backup (at >>> least I think this is the command I’ve used, its from from a tutorial on >>> setting up BPC in Centos). >>> I’ve seen some stuff on the web about differences in keys in Sierra, but >>> what puzzles me most is that I can’t ssh to root on the Mac now. When I try >>> to ssh to it from the BPC server, it keeps asking for the password and >>> ultimately fails. I can ssh into another user, just not root. Has anyone >>> successfully gotten BPC to work with Sierra using rsync and a key? >>> Mike Conner > > Yes, of course. I run Sierra and BackupPC -- I suspect the clue is in your > "id_dsa.pub." DSA keys have been deprecated in favor of RSA keys. I can't > say that this is definitively your issue, as I haven't bothered trying to set > up old DSA keys just to test the theory, but I'd recommend trying it with RSA > keys instead, since that certainly works as expected. -- ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] ssh and Mac 10.12 Sierra
Some more internet searching cleared up the root ssh problem. PermitRootLogin in sshd_config was set to the default of prohibit password. I got that changed to allow root login with password. However, now I am at the point of needing to get the key working properly. I’m not much of a linux maven, just picked stuff up as I needed it to get BPC running. Phil, do you know how to edit sshd_config to get things working right? Mike > On Nov 29, 2016, at 11:58 AM, Phil Kennedy >wrote: > > How far of a jump in upgrade did you make to get to Sierra? > > Apple switched over the sshd_config to use Authorized_keys rather than > Authorized_keys2 as the home for trusted keypairs several versions ago. > Verify that your sshd config is really doing what you are expecting it to do. > WRT key based authentication. > ~Phil > > > On Nov 29, 2016 11:42 AM, "Michael Conner" wrote: > I maintain a BackupPC system for our small museum, backing up about 10 > computers, mostly Windows. BPC is version 3.3.1, running on Centos 7. I just > upgraded to Centos 7 earlier this year and got everything working again ok. > The one Mac I backup (mine) was just upgraded to 10.12 Sierra and I can no > longer get BPC to connect to it. In the past I’ve been able to copy a key > using ssh-copy-id -i .ssh/id_dsa.pub root@host_to_backup (at least I think > this is the command I’ve used, its from from a tutorial on setting up BPC in > Centos). > > I’ve seen some stuff on the web about differences in keys in Sierra, but what > puzzles me most is that I can’t ssh to root on the Mac now. When I try to ssh > to it from the BPC server, it keeps asking for the password and ultimately > fails. I can ssh into another user, just not root. Has anyone successfully > gotten BPC to work with Sierra using rsync and a key? > > Mike Conner > > > > -- > ___ > BackupPC-users mailing list > BackupPC-users@lists.sourceforge.net > List:https://lists.sourceforge.net/lists/listinfo/backuppc-users > Wiki:http://backuppc.wiki.sourceforge.net > Project: http://backuppc.sourceforge.net/ > -- > ___ > BackupPC-users mailing list > BackupPC-users@lists.sourceforge.net > List:https://lists.sourceforge.net/lists/listinfo/backuppc-users > Wiki:http://backuppc.wiki.sourceforge.net > Project: http://backuppc.sourceforge.net/ -- ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] ssh and Mac 10.12 Sierra
On 2016-11-29 13:54, Michael Conner wrote: > It was just an upgrade from 10.11, with which I had no problem. It was > running 10.11 when I redid the server to Centos 7 and the key exchange > worked ok. What I don’t get is why I can’t manually ssh into root but > I can into another user. Until that changes, I don’t know if I also > have a key problem. This is beyond me and I have yet to find anything > on web with this problem. I have no Linux background, I’ve just picked > stuff up as I needed it for getting BPC to work. > > Mike > >> On Nov 29, 2016, at 11:58 AM, Phil Kennedy >>wrote: >> >> How far of a jump in upgrade did you make to get to Sierra? >> >> Apple switched over the sshd_config to use Authorized_keys rather than >> Authorized_keys2 as the home for trusted keypairs several versions >> ago. Verify that your sshd config is really doing what you are >> expecting it to do. WRT key based authentication. >> ~Phil >> >> >> On Nov 29, 2016 11:42 AM, "Michael Conner" wrote: >> I maintain a BackupPC system for our small museum, backing up about 10 >> computers, mostly Windows. BPC is version 3.3.1, running on Centos 7. >> I just upgraded to Centos 7 earlier this year and got everything >> working again ok. The one Mac I backup (mine) was just upgraded to >> 10.12 Sierra and I can no longer get BPC to connect to it. In the past >> I’ve been able to copy a key using ssh-copy-id -i .ssh/id_dsa.pub >> root@host_to_backup (at least I think this is the command I’ve used, >> its from from a tutorial on setting up BPC in Centos). >> >> I’ve seen some stuff on the web about differences in keys in Sierra, >> but what puzzles me most is that I can’t ssh to root on the Mac now. >> When I try to ssh to it from the BPC server, it keeps asking for the >> password and ultimately fails. I can ssh into another user, just not >> root. Has anyone successfully gotten BPC to work with Sierra using >> rsync and a key? >> >> Mike Conner Yes, of course. I run Sierra and BackupPC -- I suspect the clue is in your "id_dsa.pub." DSA keys have been deprecated in favor of RSA keys. I can't say that this is definitively your issue, as I haven't bothered trying to set up old DSA keys just to test the theory, but I'd recommend trying it with RSA keys instead, since that certainly works as expected. -- ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] ssh and Mac 10.12 Sierra
It was just an upgrade from 10.11, with which I had no problem. It was running 10.11 when I redid the server to Centos 7 and the key exchange worked ok. What I don’t get is why I can’t manually ssh into root but I can into another user. Until that changes, I don’t know if I also have a key problem. This is beyond me and I have yet to find anything on web with this problem. I have no Linux background, I’ve just picked stuff up as I needed it for getting BPC to work. Mike > On Nov 29, 2016, at 11:58 AM, Phil Kennedy >wrote: > > How far of a jump in upgrade did you make to get to Sierra? > > Apple switched over the sshd_config to use Authorized_keys rather than > Authorized_keys2 as the home for trusted keypairs several versions ago. > Verify that your sshd config is really doing what you are expecting it to do. > WRT key based authentication. > ~Phil > > > On Nov 29, 2016 11:42 AM, "Michael Conner" wrote: > I maintain a BackupPC system for our small museum, backing up about 10 > computers, mostly Windows. BPC is version 3.3.1, running on Centos 7. I just > upgraded to Centos 7 earlier this year and got everything working again ok. > The one Mac I backup (mine) was just upgraded to 10.12 Sierra and I can no > longer get BPC to connect to it. In the past I’ve been able to copy a key > using ssh-copy-id -i .ssh/id_dsa.pub root@host_to_backup (at least I think > this is the command I’ve used, its from from a tutorial on setting up BPC in > Centos). > > I’ve seen some stuff on the web about differences in keys in Sierra, but what > puzzles me most is that I can’t ssh to root on the Mac now. When I try to ssh > to it from the BPC server, it keeps asking for the password and ultimately > fails. I can ssh into another user, just not root. Has anyone successfully > gotten BPC to work with Sierra using rsync and a key? > > Mike Conner > > > > -- > ___ > BackupPC-users mailing list > BackupPC-users@lists.sourceforge.net > List:https://lists.sourceforge.net/lists/listinfo/backuppc-users > Wiki:http://backuppc.wiki.sourceforge.net > Project: http://backuppc.sourceforge.net/ > -- > ___ > BackupPC-users mailing list > BackupPC-users@lists.sourceforge.net > List:https://lists.sourceforge.net/lists/listinfo/backuppc-users > Wiki:http://backuppc.wiki.sourceforge.net > Project: http://backuppc.sourceforge.net/ -- ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] ssh and Mac 10.12 Sierra
How far of a jump in upgrade did you make to get to Sierra? Apple switched over the sshd_config to use Authorized_keys rather than Authorized_keys2 as the home for trusted keypairs several versions ago. Verify that your sshd config is really doing what you are expecting it to do. WRT key based authentication. ~Phil On Nov 29, 2016 11:42 AM, "Michael Conner"wrote: > I maintain a BackupPC system for our small museum, backing up about 10 > computers, mostly Windows. BPC is version 3.3.1, running on Centos 7. I > just upgraded to Centos 7 earlier this year and got everything working > again ok. The one Mac I backup (mine) was just upgraded to 10.12 Sierra and > I can no longer get BPC to connect to it. In the past I’ve been able to > copy a key using ssh-copy-id -i .ssh/id_dsa.pub root@host_to_backup (at > least I think this is the command I’ve used, its from from a tutorial on > setting up BPC in Centos). > > I’ve seen some stuff on the web about differences in keys in Sierra, but > what puzzles me most is that I can’t ssh to root on the Mac now. When I try > to ssh to it from the BPC server, it keeps asking for the password and > ultimately fails. I can ssh into another user, just not root. Has anyone > successfully gotten BPC to work with Sierra using rsync and a key? > > Mike Conner > > > > > -- > ___ > BackupPC-users mailing list > BackupPC-users@lists.sourceforge.net > List:https://lists.sourceforge.net/lists/listinfo/backuppc-users > Wiki:http://backuppc.wiki.sourceforge.net > Project: http://backuppc.sourceforge.net/ > -- ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/