The problem is that
sshd is a pig about permissions and whilst
unRAID does come with some persistent SSH keys, because of the underlying file system (exFAT or FAT32) the permissions are too strict.
So, what to do?
Well, as I am sure you know, SSH is all about two files, a private one you own and protect and a public one which you can give out willy-nilly. Usually those are
.ssh/id_rsa.pub but they can actually come from anywhere.
The plan is therefore straightforward:
- Find a sensible file system
- Generate a new SSH key pair onto that file system
- Copy the
.pubto the client machine
sshusing that key
Specifically I am =rsync=ing, but let’s create the keys first.
Generate the keys and secure them
unRAID is all about your shares, and those shares live on an XFS filesystem, why not choose a (very secure and not public!) share? I therefore created one share called “vault”, locked it down in
unRAID and created the relevant keys:
mkdir /mnt/user/Vault ssh-keygen -t RSA -f /mnt/user/Value/clientA
make sure you don’t use a passkey for the SSH keys themselves
.pub is the public key you can throw around with abandon. The one without the
.pub is your private one which you want to wrap in tinfoil and put in a locked box.
The permissions for both should be no more than 0600 (user read and write only), but
ssh-keygen does that automatically. If not then a
chmod 0600 <clientA>* will suffice.
.pub to the client machine
ssh-copy-id -l <the remote user> -i /mnt/user/Vault/clientA.pub <the remote server>
You are copying the =.pub=lic key, not the private one! Enter the password and that if it all goes well that is the last time you need to enter that password ;-).
SSH using that key
ssh -l <the remote user> -i /mnt/user/Vault/clientA.pub <the remote server>
should get you in immediately.
Great, but what has this got to do with
rsync and many other things work over
ssh. All we need to do is tell
rsync which key to use:
rsync -avz --stats --progress --rsh="ssh -l <the remote user> -i /mnt/user/Vault/clientA" <the remote IP>:<the path you want to retrieve> <the local dir the remote dir will sync to>
you want to reference your private key here
So, if my remote username is “bobby”, the server is called “bobserver”, the remote directory is “/opt/photos” and it is going be stored into
/mnt/user/BobsBackup I would do the following:
ssh-keygen -t rsa -f /mnt/user/Vault/bobby ssh-copy-id -i /mnt/user/Vault/bobby.pub bobby@bobserver rsync -avz --stats --progress -rsh="ssh -l bobby -i /mnt/user/Vault/bobby" bobserver:/opt/photos /mnt/user/BobsBackup
The next job is to add a
cron job to do the
rsync at a regular schedule. That is a post for another day (trivially editing
/boot/config/go really, but my tea is ready :-))
If you didn’t want to create your keys on a share then the alternative would be to edit
/boot/config/go to copy the keys (maybe even the already existing
/boot/config/ssh/*.keys) onto a sensible file system,
chmod 0600 them and then reference those.
Great - go for it :-).