Example Four - Running a Central Backup Server
As you already saw you can use wcp to create backups of your system configuration files. backup-etc can be used for it but by default this script stores the files locally. wcp can use ssh to connect to another server and invoke wcpd there as if it were locally. To make this useful for regular backups this should run without any user intervention required. There should especially be no password prompt for the remote login.
At this point ssh key authentication can be used for the login. While ssh does not support giving the login password on the command line and password free account are generally a bad idea, password free ssh key authentication is a solution.
This text does two things: first it explains how to setup ssh key authentication and second it shows how to initiate the backups from the server to the client. It assumes you have two computers which are named
this will become the backup server, the machine that stores the archived files, and
- the computer which /etc files are stored on the server.
Surprisingly, as you will see, it's the server that connects to the client. But I think this approach is simplier than the usual client/server connection since this requires an ssh key for each client you want to backup.
First you have to create a private/public key pair on your backup server.
root@server:~ > ssh-keygen -f backup-user.key -N '' -b 2048 -t rsa Generating public/private rsa key pair. Your identification has been saved in backup-user.key. Your public key has been saved in backup-user.key.pub. The key fingerprint is: be:bd:87:f4:9c:7d:22:6f:04:4d:00:63:e5:e7:e4:0d root@linux
The -N option makes sure that any login with this key is password free.
To protect you client against password free shell logins with the backup key, add a specific command to the key. Load backup-user.key.pub into your editor and edit the backup key line to look like
command="/usr/local/bin/wcp -b /etc store -" ssh-rsa AAAAB3Nza...
This will bind the key once installed on the client to the wcp backup program with the parameters above. You may add more security options to this key, see sshd's manpage.
Now copy the backup-user.key.pub file to your client. backup-user.key must be kept secret, never (again in plain words: never - and there is really no need for it) put this on a client machine. Keep the backup-user.key file safe because it's a password free login key.
root@server:~ > scp backup-user.key.pub root@client:
The public key must be added to root's authorized keyfile. On my machine this file is named
root@client:~ > cat backup-user.key.pub >>.ssh/authorized_keys
Make sure that wcp is installed on client.
Now create a directory where you want to store the archives ...
root@server:~ > mkdir -p etc-archive/client