Rdiff-backup with ssh
Configuration in Debian
What is rdiff-backup?
rdiff-backup backs up one directory to another, possibly over a
network. The target directory ends up a copy of the source
directory, but extra reverse diffs are stored in a special
subdirectory of that target directory, so you can still recover
files lost some time ago. The idea is to combine the best
features of a mirror and an incremental backup. rdiff-backup
also preserves subdirectories, hard links, dev files,
permissions, uid/gid ownership, modification times, extended
attributes, acls, and resource forks. Also, rdiff-backup can
operate in a bandwidth efficient manner over a pipe, like rsync.
Thus you can use rdiff-backup and ssh to securely back a hard
drive up to a remote location, and only the differences will be
transmitted. Finally, rdiff-backup is easy to use and settings
have sensical defaults.
A POSIX operating system, like Linux or Mac OS X
Python v2.2 or later (see http://www.python.org)
librsync v0.9.7 or later
The python module pylibacl is optional, but necessary for access
control list support.
The python module pyxattr is option, but necessary for extended
Documentation and Tutorials
First thing we need to make sure that you have
installed ssh in your machine then you need to proceed further
Install rdiff-backup in Debian
You need to install your source machine and target machine
#apt-get install rdiff-backup
Reading Package Lists... Done
Building Dependency Tree... Done
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 8 not upgraded.
Need to get 0B/148kB of archives.
After unpacking 569kB of additional disk space will be used.
Selecting previously deselected package rdiff-backup.
(Reading database ... 28792 files and directories currently
Unpacking rdiff-backup (from .../rdiff-backup_0.13.4-5_i386.deb)
Setting up rdiff-backup (0.13.4-5) ...
This will install rdiff-backup in you machine
Create The Public Keys On Target
On backup.domain.com, we create a group and an unprivileged user
called rdiff. This user rdiff will run the backups. We do not
want root to run the backups for security reasons!
#groupadd -g 3500 rdiff
#useradd -u 3500 -s /bin/false -d /backup -m -c "rdiff" -g rdiff
The second command creates the user rdiff-backup with the home
directory /backup (which is created automatically by this
command if it does not exist already) who is not allowed to
login on the shell (again for security reasons). If the group ID
and user ID 3500 are already in use on your system, replace them
by another (free) ID.
#su -m rdiff
With this command you become the user rdiff on the shell. All
the following commands must be run as user rdiff
Create the keys:
#ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/backup/.ssh/id_rsa):
Created directory '/backup/.ssh'.Enter passphrase
(empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /backup/.ssh/id_rsa.Your
public key has been saved in /backup/.ssh/id_rsa.pub.
The key fingerprint
It is ok to save the key in /backup/.ssh/id_rsa so you can
simply hit enter. It is important that you do not enter a
passphrase otherwise the backup will not work without human
interaction so again hit enter. In the end two files are
created: /backup/.ssh/id_rsa and /backup/.ssh/id_rsa.pub.
Next create the file /backup/.ssh/config with the following
host server1_backuphostname server1.domain.com
The value of host is what we use later on to start the backup.
You can use any name the you like (e.g. server1_backup,
this_is_the_machine_i_want_to_backup, etc.) (but it should not
contain whitespace; underscores are ok).
Change the permissions of that file:
#chmod -R go-rwx /backup/.ssh
Now we copy over our public key to server1.domain.com:
#ssh-copy-id -i ~/.ssh/id_rsa.pub firstname.lastname@example.org
This will look like this:
# ssh-copy-id -i ~/.ssh/id_rsa.pub email@example.com
ssh-copy-id -i ~/.ssh/id_rsa.pub firstname.lastname@example.orgThe
authenticity of host 'server1.domain.com (188.8.131.52)' can't be
RSA key fingerprint is
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server1.example.com' (RSA) to the
list of known hosts.
Now try logging into the machine, with "ssh
'email@example.com'", and check in: .ssh/authorized_keysto
make sure we haven't added extra keys that you weren't
Once again you have to type in the root password of
server1.example.com. What this command does is it copies the
public key of the user rdiff-backup to the file /root/.ssh/authorized_keys
on the remote server server1.example.com.
Log in as root on server1.domain.com and have a look at /root/.ssh/authorized_keys.
It should look similar to this
ssh-rsa AAAAB3Nza[...]W1go9M= rdiff@lona
Now prepend the following string to /root/.ssh/authorized_keys:
command="rdiff-backup --server --restrict-read-only /",from="backup.example.com",no-port-forwarding,no-X11-forwarding,no-pty
It must be in one line with the key, only seperated by a space
command="rdiff-backup --server --restrict-read-only /",from="backup.domain.com",no-port-forwarding,no-X11-forwarding,no-pty
ssh-rsa AAAAB3Nza[...]W1go9M= rdiff@lona
This will run the command rdiff-backup --server
--restrict-read-only / when the user rdiff-backup fom
backup.domain.com connects to server1.domain.com over SSH.
--restrict-read-only / makes sure that rdiff-backup has only
read access on server1.domain.com. It depends on your rdiff-backup
version if this works. If this does not work for you you can
leave out --restrict-read-only / so that it reads
In from="backup.domain.com" you should use the hostname that a
reverse lookup of backup.domain.com's IP address returns.
You can as well use backup.domain.com's IP address:
#command="rdiff-backup --server --restrict-read-only
#chmod -R go-rwx /root/.ssh
Then have a look at /etc/ssh/sshd_config. It should contain the
Restart ssh if you had to change /etc/ssh/sshd_config:
Test rdiff-backup On Target Machine
Back on backup.domain.com, again as the user rdiff-backup, we
test the backup:
#rdiff-backup server1_backup::/boot boot
In the second command you see the string server1_backup. That is
the string we used in /backup/.ssh/config after host. With this
second command, the user rdiff will connect to
server1.domain.com as the root user and save the directory /boot
of server1.domain.com to the directory /backup/boot on
backup.example.com. If you see that it is working and you do not
have to type in a password.
Now all there is left to do is to create a cron job. Still as
user rdiff-backup, run
and create a cron job like this:
40 2 * * * /usr/bin/rdiff-backup --exclude /tmp --exclude /mnt
--exclude /proc --exclude /dev --exclude /cdrom --exclude
/floppy server1_backup::/ /backup/server1
This runs the backup every night at 2.40h, saving the directory
/ with all subdirectories (excluding /tmp, /mnt, /proc, /dev, /cdrom,
/floppy) of server1.domain.com in /backup/server1 on