Welcome to Eric Hameleers (Alien BOB)'s Wiki pages.

If you want to support my work, please consider a small donation:

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

linux:rsnapshot [2006/03/21 12:29]
alien
linux:rsnapshot [2010/04/24 19:25] (current)
alien Add a link to my article about the NSLU2
Line 5: Line 5:
 A good read is the [[http://www.rsnapshot.org/howto/1.2/rsnapshot-HOWTO.en.html | Rsnapshot HOWTO]]. A good read is the [[http://www.rsnapshot.org/howto/1.2/rsnapshot-HOWTO.en.html | Rsnapshot HOWTO]].
  
 +Another article worth checking is my companion article about [[linux:slug | using a Linksys NAS as rsnapshot server]].
  
 ==== Getting the software ==== ==== Getting the software ====
Line 40: Line 41:
     local# ssh remote-server     local# ssh remote-server
     ; you might have to create the directory ~/.ssh if it doesnt exist:     ; you might have to create the directory ~/.ssh if it doesnt exist:
-    ; "chmod 600 ~/.ssh ; chown rbackup ~/.ssh"+    ; "chmod 700 ~/.ssh ; chown rbackup ~/.ssh"
     ; if you don't get the permissions on ~/.ssh and ~/.ssh/authorized_keys right,     ; if you don't get the permissions on ~/.ssh and ~/.ssh/authorized_keys right,
     ; passwordless login will FAIL!     ; passwordless login will FAIL!
Line 62: Line 63:
   * Create a user "//rbackup//", which should be un-privileged, i.e. should not be part of the "//wheel//" group.   * Create a user "//rbackup//", which should be un-privileged, i.e. should not be part of the "//wheel//" group.
   * Append the //BACKUPSERVER//'s rbackup user's public key to the //REMOTE// rbackup's ''~/.ssh/authorized_keys'' and modify it to allow access from one specific machine (the backupserver), only allowed to run one specific command. This is for security reasons of course. <code>   * Append the //BACKUPSERVER//'s rbackup user's public key to the //REMOTE// rbackup's ''~/.ssh/authorized_keys'' and modify it to allow access from one specific machine (the backupserver), only allowed to run one specific command. This is for security reasons of course. <code>
-    from="192.168.200.34",command="/home/rbackup/validate-rsync.sh" ssh-rsa  +from="192.168.200.34",command="/home/rbackup/validate-rsync.sh" ssh-rsa  
-    AAAAB3NzaC1yc2EAAAAB.......0i9yTN7QTrcqKU9ugIesi3+EZnw5ES5wbpo8= +AAAAB3NzaC1yc2EAAAAB.......0i9yTN7QTrcqKU9ugIesi3+EZnw5ES5wbpo8= 
-    rbackup@TheVault</code> +rbackup@TheVault 
-  * Create the ''/home/rbackup/validate-rsync.sh'' validation script with these contents: <code> +</code> Make sure your version of **''from="192.168.200.34"''** contains the IP address of your rsnapshot server! 
-    #!/bin/sh +  * Create the ''/home/rbackup/validate-rsync.sh'' validation script with these contents: <code bash
-    case "$SSH_ORIGINAL_COMMAND" in +#!/bin/sh 
-    *\&*)+case "$SSH_ORIGINAL_COMMAND" in 
 +  *\&*)
     echo "Rejected 1"     echo "Rejected 1"
     ;;     ;;
-    *\;*)+  *\;*)
     echo "Rejected 2"     echo "Rejected 2"
     ;;     ;;
Line 77: Line 79:
     $SSH_ORIGINAL_COMMAND     $SSH_ORIGINAL_COMMAND
     ;;     ;;
-    *true*)+  *true*)
     echo $SSH_ORIGINAL_COMMAND     echo $SSH_ORIGINAL_COMMAND
     ;;     ;;
-    *)+  *)
     echo "Rejected 3"     echo "Rejected 3"
     ;;     ;;
-    esac +esac 
-</code>  and ''chmod 754 /home/rbackup/validate-rsync.sh'' to make it executable.+</code>  and run the following commands to make it executable for user ''rbackup'': <code> 
 +chown rbackup /home/rbackup/validate-rsync.sh 
 +chmod 754 /home/rbackup/validate-rsync.sh 
 +</code> 
   * Create a wrapper script for rsync (which uses sudo) in ''/usr/local/bin/rsync_wrapper.sh'' which contains: <code>#!/bin/sh   * Create a wrapper script for rsync (which uses sudo) in ''/usr/local/bin/rsync_wrapper.sh'' which contains: <code>#!/bin/sh
 /usr/bin/sudo /usr/bin/rsync "$@"; /usr/bin/sudo /usr/bin/rsync "$@";
 </code> </code>
-  * Add this line to ''/etc/sudoers'': <code>rbackup ALL = NOPASSWD: /usr/bin/rsync</code>+  * Add this line to ''/etc/sudoers'' so that user ''rbackup'' can run the wrapper's ''rsync'' command with //root// privileges: <code>rbackup ALL = NOPASSWD: /usr/bin/rsync</code> 
 + 
 +=== Testing remote login === 
 + 
 +When all configuration is complete, and before your scheduled cron jobs start, you should test whether the non-interactive passwordless login from the rsnapshot server to the remote //rbackup// account is functional.\\ You need to make a ssh connection at least once, to add the public key of the remote machine to your root account's //''known_hosts''// file. <code> 
 +# ssh rbackup@client.my.lan 
 +Rejected 3 
 +Connection to client.my.lan closed. 
 +</code> The "''Rejected 3''" message actually means that your configuration was successful!
  

Personal Tools
sponsoring