[TriLUG] rsyncd.conf

Rick DeNatale rick.denatale at gmail.com
Fri Feb 10 20:39:00 EST 2006 

On 2/10/06, Alan Porter <porter at trilug.org> wrote:
>
> >>BackupPC will fetch files from the client PC's using one of
> >>three mechanisms: (1) Samba (2) rsync/ssh (3) rsync/rsyncd.
> >>I am using option #3.  On the client PC, I installed rsync
> >>and set RSYNC_ENABLE=true in /etc/defaults/rsync.
> >>
> >>
> >>
> >Might I suggest that you tell backuppc to use rsync as the xfer
> >method.  This doesn't require an rsync daemon on the client but runs
> >rsync over ssh as required.
> >
> >
>
>
> Hi Rick,
>
> Thanks for your reply.
>
> I thought about using method #2 (rsync/ssh), but I did not
> like the idea if planting my server's public key in the client
> PC's /root/.ssh/authorized_keys file.  It seems like a wide-open
> door, when all I really needed was the ability to copy files out.

That's what PUBLIC keys are for, it's the private keys you want to
keep secret, without one the other is worthless.

Securing ssh via private/public keys is well accepted as a secure way
to connect.

You don't have to put it in /root, don't use root as the user. 
There's some description of that on the backuppc doc site, but the
basic idea is to create a userid on the client just to talk to the
backuppc server.  I call mine backuppcclient.

Put the ssh stuff in ~backuppc/.ssh
Put a bash script in ~backuppc/bin/rsyncSend

#!/bin/sh -f
exec /usr/bin/rsync $*

Then use visudo to add the following to the sudoers file:

backuppcclient ALL= NOPASSWD: /home/backuppcclient/bin/rsyncSend

This lets the backuppcclient user use sudo ONLY to execute that one command.

And in the host config file on the backuppc server you tell backuppc
to do just that on backup and restore with the lines:

$Conf{RsyncClientCmd} = '$sshPath -q  -l backuppcclient $host sudo
~/bin/rsyncSend $argList+';
$Conf{RsyncClientRestoreCmd} = '$sshPath -q -l backuppcclient $host
sudo ~/bin/rsyncSend $argList+';

I did this following the docs I mentioned.  There was one slight
problem in that the docs (at the time, I haven't checked to see if
they changed since I reported this) had a bug in that it had separate
rsyncSend and rsyncReceive scripts with different flag args to rsync. 
This turned out to be wrong since backuppc was setting those flags
itself.  So if I were to do this again, I'd probably name the script
differently for clarity. Maybe I'll do it when I'm in a less lazy
mood.

--
Rick DeNatale

Visit the Project Mercury Wiki Site
http://www.mercuryspacecraft.com/

More information about the TriLUG mailing list