ExampleFour

Example Four - Running a Central Backup Server

As you already saw you can use wcp to create backups of your system configuration files. backup-etc can be used for it but by default this script stores the files locally. wcp can use ssh to connect to another server and invoke wcpd there as if it were locally. To make this useful for regular backups this should run without any user intervention required. There should especially be no password prompt for the remote login.

At this point ssh key authentication can be used for the login. While ssh does not support giving the login password on the command line and password free account are generally a bad idea, password free ssh key authentication is a solution.

This text does two things: first it explains how to setup ssh key authentication and second it shows how to initiate the backups from the server to the client. It assumes you have two computers which are named

server: this will become the backup server, the machine that stores the archived files, and
client: the computer which /etc files are stored on the server.

Surprisingly, as you will see, it's the server that connects to the client. But I think this approach is simplier than the usual client/server connection since this requires an ssh key for each client you want to backup.

Key generation

First you have to create a private/public key pair on your backup server.

root@server:~ > ssh-keygen -f backup-user.key -N '' -b 2048 -t rsa
Generating public/private rsa key pair.
Your identification has been saved in backup-user.key.
Your public key has been saved in backup-user.key.pub.
The key fingerprint is:
be:bd:87:f4:9c:7d:22:6f:04:4d:00:63:e5:e7:e4:0d root@linux

The -N option makes sure that any login with this key is password free.

To protect you client against password free shell logins with the backup key, add a specific command to the key. Load backup-user.key.pub into your editor and edit the backup key line to look like

command="/usr/local/bin/wcp -b /etc store -" ssh-rsa AAAAB3Nza...

This will bind the key once installed on the client to the wcp backup program with the parameters above. You may add more security options to this key, see sshd's manpage.

Client preparation

Now copy the backup-user.key.pub file to your client. backup-user.key must be kept secret, never (again in plain words: never - and there is really no need for it) put this on a client machine. Keep the backup-user.key file safe because it's a password free login key.

root@server:~ > scp backup-user.key.pub root@client:

The public key must be added to root's authorized keyfile. On my machine this file is named

/authorized_keys. This may be different on yours but you can look into your sshd configuration file (normally /etc/ssh/sshd_config) file, and see what configured with the "AuthorizedKeysFile" option.

root@client:~ > cat backup-user.key.pub >>.ssh/authorized_keys

Make sure that wcp is installed on client.

Note: If you are already using ssh key authentication it may be neccessary to disable an existing key authentication socket by clearing the value of the environment variable SSH_AUTH_SOCK. Otherwise ssh may use another key for authentication.

Archive creation

Now create a directory where you want to store the archives ...

root@server:~ > mkdir -p etc-archive/client

This creates the archive directory /root/etc-archive/client/0001 with the /etc tree from client and, as you can see, it's working password-free, ready for unattended use.

Although the wcpd command gives / as backup directory the remote /etc is stored because this is the command line related to the backup key.

To backup multiple machine you would now need a script that runs the wcpd command from above with different hostnames and host diretories, something like

you would have first to prepare your client and second to create a host directory in your archive directory, no additional configuration file required.