From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-127118-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1QuTOA-0002Gz-9i
	for garchives@archives.gentoo.org; Fri, 19 Aug 2011 18:01:50 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 398CB21C1D9;
	Fri, 19 Aug 2011 18:01:35 +0000 (UTC)
Received: from mail-ey0-f171.google.com (mail-ey0-f171.google.com [209.85.215.171])
	by pigeon.gentoo.org (Postfix) with ESMTP id 6162A21C036
	for <gentoo-user@lists.gentoo.org>; Fri, 19 Aug 2011 18:00:37 +0000 (UTC)
Received: by eyg24 with SMTP id 24so1603213eyg.16
        for <gentoo-user@lists.gentoo.org>; Fri, 19 Aug 2011 11:00:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type:content-transfer-encoding;
        bh=6QN5K4EaBED2tdF+TSRgyztKDPn5GrzfvUX58ZBMcrI=;
        b=XT98wd0+t5jBr8H5GhMroiloh5g6KNRsxLRHaqsWTC1rpoQ60HJQTwdDCyfwtOZWYN
         tSsEm5L6gc1bL12gfaDoBUHXiZSk8gdYhl1XpiNzO3meCv8huUTw9o53nvWCHEDpPIef
         7ZRaghTY6frogIx5mHUCKXXYvFDO/BtfUAmQ4=
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.14.147.143 with SMTP id t15mr13722eej.76.1313776836511; Fri,
 19 Aug 2011 11:00:36 -0700 (PDT)
Received: by 10.14.100.140 with HTTP; Fri, 19 Aug 2011 11:00:36 -0700 (PDT)
In-Reply-To: <4E4E99F6.2020002@orlitzky.com>
References: <CAN0CFw3OreQZtLVy45A_b-dZp8j8Yw1Lbvb_dyNc341fByuynA@mail.gmail.com>
	<54732072.QyOj10dyxT@eve>
	<CAN0CFw1q-GJEVMUPjzOpYYPwu+COt4j_nRX+MiOHOdoDuc8AFg@mail.gmail.com>
	<2835390.opqSYxfPPv@eve>
	<CAN0CFw1pJ57QxmsdG7xMmxjftYvRvV_XfTLg=npCJizf_grrPg@mail.gmail.com>
	<4E4E99F6.2020002@orlitzky.com>
Date: Fri, 19 Aug 2011 11:00:36 -0700
Message-ID: <CAN0CFw3G=ZAAfAimVb51=bFLmf09cHeb+PMQHBaXqmt4n1cm-g@mail.gmail.com>
Subject: Re: [gentoo-user] {OT} rdiff-backup: push or pull?
From: Grant <emailgrant@gmail.com>
To: gentoo-user@lists.gentoo.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: 
X-Archives-Hash: 608fa4f18d4d4bb4f9ee10f21c436cad

> We're doing the same thing for our backups. Here's that chunk of our
> documentation, if it's helpful.

Thanks Michael.  You've found that a shell account is required on the
backup server in order to push backups to it?

Is the purpose of the Host block in .ssh/config to store the hostname
of the backup server so it doesn't need to be used directly in the
rdiff-backup command?

Why create a password for the backup user?  Doesn't that open up the
possibility of someone logging in as that user, when otherwise the
account would only be used for backing up files?

- Grant


> =3D=3D=3D rdiff-backup Client =3D=3D=3D
>
> =3D=3D=3D=3D Creating the Remote User =3D=3D=3D=3D
>
> First, create a new system user on the backup server. Log in (as root),
> and run,
>
> =A0useradd -d /home/<username> -m <username>
>
> The ''-d'' parameter sets the home directory, and ''-m'' creates it
> automatically.
>
> The rdiff-backup program uses SSH to synchronize the local and remote
> filesystems. As a result, non-interactive operation requires a
> server/client certificate pair. Furthermore, we cannot prevent shell
> logins for our new user account.
>
> Give it a reasonably-complex password. You'll only need to type it twice:
>
> =A0passwd <username>
>
> =3D=3D=3D=3D Installing rdiff-backup =3D=3D=3D=3D
>
> First things first; install rdiff-backup on the client. In Gentoo, all
> this requires is the following,
>
> =A0emerge rdiff-backup
>
> If that works, go ahead and continue.
>
> =3D=3D=3D=3D Setting up SSH Authentication =3D=3D=3D=3D
>
> For now, we're done on the backup server. Log in to the client server
> (the one to be backed up) as root. We need to generate an SSH key pair:
>
> =A0ssh-keygen
>
> Name the file something informative when asked. '''Do not create a
> password for the key file.''' For example, your private key for
> <backup_server> might be named ~/.ssh/<backup_server>_rsa. Now, copy the
> public key, e.g. ~/.ssh/<backup_server>_rsa.pub to the backup server
> using the user that we created earlier.
>
> =A0scp ~/.ssh/<public_key_file> <remote_user>@<backup_server>:~/
>
>
> And add a section to the local ~/.ssh/config file which corresponds to
> the backup server. This forces the local machine to authenticate to the
> backup server using its key rather than a password.
>
> <pre>
> Host <backup_server_hostname>
> =A0 Hostname <backup_server_hostname>
> =A0 IdentityFile ~/.ssh/<private_key_file>
> =A0 IdentitiesOnly yes
> </pre>
>
>
> Now, ssh into the backup server as your new user. Our goal is to add
> this key as "trusted," allowing anyone with the corresponding key to
> connect as this user. On the backup server (as our new user), execute,
>
> =A0cat <public_key_file> >> ~/.ssh/authorized_keys
> =A0rm <public_key_file>
>
> and add the following to the authorized_keys file manually. Add it at
> the beginning of the line for the new public key.
>
> =A0command=3D"/usr/bin/rdiff-backup --server",no-pty,no-port-forwarding
>
> This will restrict the user with this public key to executing only the
> rdiff-server command.