Backing up with RSync

Whilst I use Duplicity to perform my mass backups on a nightly basis, it’s comforting to have some components backed up on a much more regular basis and stored in an instantly recoverable format. RSync solves this problem very well for me.

The hardest part of getting RSync working for me is always getting the authentication setup properly so that SSH can login to the remote backup host without needing to authenticate with a password every time. Anyway, on to that later. First of all, get a working script in place that prompts for a password. Below is such a script:

#!bin/bash/
/usr/bin/rsync \
–compress \
–verbose \
–rsh=/usr/bin/ssh \
–recursive \
–times \
–perms \
–links \
–delete \
–exclude=somedir \
/home/alice bob@bobhost.com:/home/bob/alice

This script will backup alice’s home directory to bobhost as user bob and store it in a subdirectory called alice. Remember that this script would therefore reside on alice’s machine and would be initiated by her. Note the –exclude command which is used to ignore files or directories.

At this point, the script can be run by alice. She will be prompted for a password for bob@bobhost.com as she has no ssh authority for him. If all goes well, it should run with no issues. If so, read on to get around the password authentication requirement which would currently prevent automation of this script.

The host that is having the files copied to it, must have a ~/.ssh/authorized_keys file containing the keys for the user who will be logging in from the host that is initiating the backup. Read this bit a few times until it sinks in and makes sense!

At this point, assume alice is backing up her machine, and bob is hosting her backup.
Alice must generate herself a key using the command:
ssh-keygen -b 1024 -t dsa
This will prompt a few questions, all of which can be left as their defaults. Make sure the password is left blank. Two new files will have been created:
~/.ssh/id_dsa
~/.ssh/id_dsa.pub

Bob now needs a copy of alice’s public key (id_dsa.pub). One method of getting it would be to scp the file from alicehost using a command such as this:
scp alice@alicehost.com:~/.ssh/id_dsa.pub ~/.ssh/tmp.key

Bob then needs to add this key to his authorized_keys file:
cat tmp.key >> authorized_keys

Bob should also ensure that his authorized_keys file is set chmod 600

That’s it, the script should now run without prompting for a password as Bob has authorized Alice to log into his machine by placing her public key in his authorized hosts file.

Security Note
Bob has now authorized Alice to ssh into his account. She can issue an ssh bob@bobhost.com and will not be prompted for a password. For this reason, bob should probably be a dedicated login specifically for Alice to backup to.

Leave a comment