Skip to content

LocalServerUser

Jump to bottom
Luca Finzi Contini edited this page Jul 26, 2024 · 5 revisions

Configuring the Local User on the Local Server

Local nas user configuration requires these steps:

  • SSH keys creation and propagation to the backup server
  • Test SSH keys
  • sudo passwordless setup

SSH keys creation

We need to create SSH keys to seamlessly execute to the backup server from our nas server during zfs-backup.sh operations.

Here we will create shiny new ed25519 keys on our nas machine.

user@nas:~$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/user/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_ed25519
Your public key has been saved in /home/user/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:HC2esqvdgCt4Rh0e45Ulv9/V4KIsznukZOUj5qtbkuU user@nas
The key's randomart image is:
+--[ED25519 256]--+
|                 |
|      . ..       |
|       =o .      |
|    + oo.+.   .  |
|   + =. S+   . o |
|  . +. ** + . o .|
| o  . ==E* + o   |
|. +  o B+ = .    |
| o .o.=+*=       |
+----[SHA256]-----+
user@nas:~$ ls -la ~/.ssh
total 24
drwx------ 2 user user 4096 Jul 21 01:11 .
drwxr-x--- 5 user user 4096 Jul 21 01:10 ..
-rw------- 1 user user    0 Jul 19 17:41 authorized_keys
-rw------- 1 user user  399 Jul 21 01:11 id_ed25519
-rw-r--r-- 1 user user   90 Jul 21 01:11 id_ed25519.pub
-rw------- 1 user user 1784 Jul 21 01:09 known_hosts
-rw------- 1 user user  948 Jul 21 01:09 known_hosts.old
user@nas:~$

SSH key propagation to the backup server

Let's send the key to our backup server:

user@nas:~$ ssh-copy-id buser@backup
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/user/.ssh/id_ed25519.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
buser@backup's password:

Number of key(s) added: 1
user@nas:~$

Test for correct SSH Keys propagation

Now try logging into the machine, with: "ssh 'buser@backup'" and check to make sure that only the key(s) you wanted were added.

user@nas:~$ ssh buser@backup
Welcome to Ubuntu 24.04 LTS (GNU/Linux 6.8.0-38-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Sun Jul 21 01:13:35 AM UTC 2024

  System load:             0.01
  Usage of /:              38.9% of 6.06GB
  Memory usage:            6%
  Swap usage:              0%
  Processes:               211
  Users logged in:         1
  IPv4 address for enp0s3: [...]
  IPv6 address for enp0s3: [...]

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


Last login: Sun Jul 21 01:09:55 2024 from 10.20.1.190
buser@backup:~$ exit
logout
Connection to backup closed.

OK, so far we are able to SSH to the backup server using the buser user.

Sudo without password on the Local Server

The local nas user uses sudo because the key ZFS commands within the script requires superuser rights. This comes from the Linux implementation of the ZFS tools: Even if there is the zfs allow command which enables to delegate some command execution rights to a user, so that they do not need to execute commands as sudo, Linux implementation has issues with regards to the most critical commands used here.

A quote from the Ubuntu zfs allow man pages:

DESCRIPTION
       zfs allow filesystem|volume
         Displays  permissions  that  have been delegated on the specified filesystem or volume.
         See the other forms of zfs allow for more information.

         Delegations are supported under Linux with the exception of mount, unmount, mountpoint,
         canmount, rename, and share.  These permissions cannot be delegated because  the  Linux
         mount(8) command restricts modifications of the global namespace to the root user.

For this reason, we need user to belong to sudo group. Our script might be run from a cron job so we need to be able to run it without asking for password.

  • execute the command sudo visudo to modify sudo user configuration
  • Add the following line at the very end of the file:
# my user 'user'
user   ALL=(ALL) NOPASSWD: ALL
  • Save and exit

Let's test it:

user@nas:~/src/zfs-backup$ ls -la /root
ls: cannot open directory '/root': Permission denied
user@nas:~/src/zfs-backup$ sudo ls -la /root
total 32
drwx------  5 root root 4096 Jul 23 20:10 .
drwxr-xr-x 23 root root 4096 Jul 20 23:37 ..
-rw-------  1 root root    5 Jul 23 20:10 .bash_history
-rw-r--r--  1 root root 3106 Apr 22 13:04 .bashrc
drwxr-xr-x  3 root root 4096 Jul 21 00:37 .local
-rw-r--r--  1 root root  161 Apr 22 13:04 .profile
drwx------  3 root root 4096 Jul 19 17:41 snap
drwx------  2 root root 4096 Jul 21 01:39 .ssh
user@nas:~/src/zfs-backup$

Enough, let's go to fix the remote user.

ZFS Backup, (c) 2024 Luca Finzi Contini - Use it at your own risk but enjoy doing so :)

Clone this wiki locally