> We're doing the same thing for our backups. Here's that chunk of our > documentation, if it's helpful.
Thanks Michael. You've found that a shell account is required on the backup server in order to push backups to it? Is the purpose of the Host block in .ssh/config to store the hostname of the backup server so it doesn't need to be used directly in the rdiff-backup command? Why create a password for the backup user? Doesn't that open up the possibility of someone logging in as that user, when otherwise the account would only be used for backing up files? - Grant > === rdiff-backup Client === > > ==== Creating the Remote User ==== > > First, create a new system user on the backup server. Log in (as root), > and run, > > useradd -d /home/<username> -m <username> > > The ''-d'' parameter sets the home directory, and ''-m'' creates it > automatically. > > The rdiff-backup program uses SSH to synchronize the local and remote > filesystems. As a result, non-interactive operation requires a > server/client certificate pair. Furthermore, we cannot prevent shell > logins for our new user account. > > Give it a reasonably-complex password. You'll only need to type it twice: > > passwd <username> > > ==== Installing rdiff-backup ==== > > First things first; install rdiff-backup on the client. In Gentoo, all > this requires is the following, > > emerge rdiff-backup > > If that works, go ahead and continue. > > ==== Setting up SSH Authentication ==== > > For now, we're done on the backup server. Log in to the client server > (the one to be backed up) as root. We need to generate an SSH key pair: > > ssh-keygen > > Name the file something informative when asked. '''Do not create a > password for the key file.''' For example, your private key for > <backup_server> might be named ~/.ssh/<backup_server>_rsa. Now, copy the > public key, e.g. ~/.ssh/<backup_server>_rsa.pub to the backup server > using the user that we created earlier. > > scp ~/.ssh/<public_key_file> <remote_user>@<backup_server>:~/ > > > And add a section to the local ~/.ssh/config file which corresponds to > the backup server. This forces the local machine to authenticate to the > backup server using its key rather than a password. > > <pre> > Host <backup_server_hostname> > Hostname <backup_server_hostname> > IdentityFile ~/.ssh/<private_key_file> > IdentitiesOnly yes > </pre> > > > Now, ssh into the backup server as your new user. Our goal is to add > this key as "trusted," allowing anyone with the corresponding key to > connect as this user. On the backup server (as our new user), execute, > > cat <public_key_file> >> ~/.ssh/authorized_keys > rm <public_key_file> > > and add the following to the authorized_keys file manually. Add it at > the beginning of the line for the new public key. > > command="/usr/bin/rdiff-backup --server",no-pty,no-port-forwarding > > This will restrict the user with this public key to executing only the > rdiff-server command.
