Secure Backup


Backup Server

  1. Edit sshd_config to allow RSA authentication. Send SIGHUP to sshd ro reload the new config.
  2. Create an account for your server, let's call it backup
  3. Edit /etc/shadow to lock the backup account by replacing the 2nd field with '!' (w/o quotes)
  4. Use ssh-keygen to make passwordless RSA keys as user backup. NOTE: This is the weakest point in my scheme, but go on reading to see how I try to reduce the risk of stolen RSA keys and a compromised backup server.
  5. Move (don't copy, move them) the files ~backup/.ssh/identity and ~backup/.ssh/identity.pub to ~root/.ssh/identity-backup and ~root/.ssh/identity.pub-backup. NOTE: we do NOT leave the RSA keys in the home directory of the backup account, so the intruder needs root privileges to gain access to the keys!
  6. chown -R root.root ~root/.shh/ !!!
  7. Copy weekly-backup-sh and weekly-backup.list from the archive to /etc/cron.d/
  8. Modify weekly-backup.{sh,list} to fit your needs and system
  9. Add an entry for crond by using crontab as root (f.e.: 0 9  * * Thu            /etc/cron.d/weekly-backup.sh)


Backup Client

  1. Allow RSA key authentication
  2. Create an account, let's call it clbackup
  3. Lock account by editing /etc/shadow
  4. Generate passwordless RSA keys
  5. Move them to ~root/.ssh/identity-clbackup and ~root/.ssh/identity.pub-clbackup and chown (on the client machine!)
  6. Copy root@<backup client>:.ssh/identity.pub-backup to backup@<backup server>:./ssh/authorized_keys
  7. Copy root@<backup server>:.ssh/identity.pub-backup to clbackup@<backup client>:./ssh/authorized_keys
  8. The two steps above are neccessary to execute commands remotely and to copy  data from the clients to the server
  9. Copy remote-backup.sh from the archive to /usr/local/sbin.
  10. Use visudo to allow clbackup to execute remote-backup.sh w/o entering a password. Look at the etc/sudoers file in the archive.


Epilog

    If you have problems with this stuff or have improvements, please let me know.
    I just tested it with SuSE Linux 7.2 as server and SuSE Linux 7.3 and 7.0 as clients.
    I tried to run it on my OpenBSD 2.8 router but it triggered weired errors.
 

Screen Shots

     Running weekly-backup.sh from root console


 
 
 

Date
Description
Download/Link
28. Jan. 2002
Initial beta release
  Secure Backup tar.gz ball 

Main Page