One problem is that SSH requires a password for logging, which is not convenient if we want to run rdiff-backup as a cron job. Here we show how to initiate rdiff-backups from a central backup server, and pull data from a farm of hosts to be backed up. For security reasons, the central server uses a non-root user account (rdiffbk) to perform backups, whereas root account is used on each host being backed up. Though root accounts are used on hosts being backed up, they are protected by SSH public-key authentication mechanism with forced-command-only option.
For convenience, I'll call the central backup server canine and three hosts to be backed up beagle, shepherd and terrier. For short, only works on canine and beagle will be shown.
Here is the procedure for backup server canine:
- generate one passphrase-free SSH key pair for each host being backed up,
- move corresponding ssh key to each host,
- create SSH configuration file, and
- create a cron job file
To generate RSA type pair for host beagle, we issue
ssh-keygen -t rsa -f id_beagle-backup
where private key will be saved in file id_beagle-backup and public key id_beagle-backup.pub.
Step 2: move corresponding ssh key to each host
To move id_beagle-backup.pub to host beagle, we may choose to use any preferred method (for example, ftp, sftp, or ssh-copy-id), since public key is not sensitive. Other hosts can be done similarly.
Step 3: create SSH configuration file
To define how to connect to host beagle with backup key, we place the following lines into file ~rdiffbk/.ssh/config. Other hosts need to be configured similarly.
host beagle-backup
hostname beagle
user root
identifyfile ~rdiffbk/.ssh/id_beagle-backup
protocol 2
Step 4: create a cron job file
The following cron job file automates the remote backups daily at 200am, 210am, and 220am, respectively.
0 2 * * * rdiff-backup beagle-backup::/remote_dir beagle/remote_dir
10 2 * * * rdiff-backup shepherd-backup::/remote_dir shepherd/remote_dir
20 2 * * * rdiff-backup terrier-backup::/remote_dir terrier/remote_dir
By default setting, rdiff-backup uses SSH to pipe remote data. Therefore, both SSH server and rdiff-backup are required in hosts to be backed up.
What left on host beagle and others (shepherd, terrier) is simply to give permission to canine to access it (through SSH) and run rdiff-backup. This can be done in the following two steps:
Step I: create an authorized-keys file for root account
To enable SSH public key authentication for root account, we need to create the file /root/.ssh/authorized_keys, which consists public key for user rdiffbk@canine, forced command and other options. The public key (id_beagle-backup.pub) should be available for beagle once we have done Step 2. A sample authorized_keys file is as follows:
command="rdiff-backup --server --restrict-read-only /",from="canine",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3.... rdiffbk@canine
Here, for security reason, rdiff-backup server is restricted to real only, and
we disable port-forward, X11-forward and pty options. See here for more details.
Step II: configure SSH server for root access
As we saw here, this can be done by put the following line in the SSH server configuration file (sshd_config):
PermitRootLogin forced-commands-only
No comments:
Post a Comment