One of my more recent installations, the BackupPC server I wrote about earlier, needs full access as the user root to his clients in order to retrieve the backups. Here’s how I implemented authentication on this machine.
BackupPC runs as its own designated user, backuppc. All authentication procedures therefore happen in the context of this user.
The key component in ssh-agent operation is a Unix domain socket that the ssh client uses to communicate with the agent. The default naming scheme for this socket is /tmp/ssh-XXXXXXXXXX/agent.<ppid>. The name of the socket is stored in the environment variable SSH_AUTH_SOCK. The windowing environments on our local workstations usually run as child processes of ssh-agent. They inherit this environment variable from their parent process (the agent) and therefore the shells running inside our Xterms know how to communicate with it.
In the case of a background server using the agent, however, things are happening in parallel: On one hand, we have the daemon which is being started on bootup. On the other hand, we have the user which the daemon is running as, who needs to interactively add his SSH identity to the agent. Therefore, the concept of an automatically generated socket path is not applicable and it would be preferable to harmonize everything to a common path, such as ~/.ssh/agent.socket.
Fortunately, all components in the SSH authentication system allow for this kind of harmonization.
The option -a to the SSH agent allows us to set the path for the UNIX domain socket. This is what this small script, /usr/local/bin/ssh-agent-wrapper.sh does on my backup server:
#!/bin/bash SOCKET=~/.ssh/agent.socket ENV=~/.ssh/agent.env ssh-agent -a $SOCKET > $ENV
When being started in stand-alone mode (without a child process that it should control), ssh-agent outputs some information that can be sourced from other scripts:
SSH_AUTH_SOCK=/var/lib/backuppc/.ssh/agent.socket; export SSH_AUTH_SOCK; SSH_AGENT_PID=1234; export SSH_AGENT_PID; echo Agent pid 1234;
This file may sourced from the daemon user’s ~/.bash_profile:
test -s .ssh/agent.env && . .ssh/agent.env
However, this creates a condition where we can’t bootstrap the whole process for the first time. So it might be somewhat cleaner to just set SSH_AUTH_SOCK to a fixed value:
Here’s the workflow for initializing the SSH agent for my backuppc user after bootup:
root@foo:~ # su - backuppc backuppc@foo:~ $ ssh-agent-wrapper.sh backuppc@foo:~ $ ssh-add
In the meantime, what is happening to the backuppc daemon?
In /etc/init.d/backuppc, I have added the following line somewhere near the top of the script:
This means that immediately after boot-up, the daemon will be unable to log on to other systems, as long as ssh-agent has not been initialized using ssh-agent-wrapper.sh. After starting ssh-agent and adding the identity, the daemon will be able to authenticate. This also means that tasks in the daemon that do not rely on SSH access (in the case of BackupPC, things like housekeeping and smbclient backups of “Windows” systems) will already be in full operation.
Ah, wonderfull explanation. Many thanks for this. Best luck to you and your family and a wealthy 2009!
This line dont work for me in /etc/init.d/backupc
I had to use:
“test -s /var/lib/backuppc/.ssh/agent.env && . /var/lib/backuppc/.ssh/agent.env”
dont now why?
thaks by the way
If you have really used this in the init script, it did not work because the init script is run by root and in this context, the tilde resolves to /root. That’s why I wrote ~backuppc above. Anyway, your solution is practically identical, so there’s nothing wrong with it. 🙂
ok, i understand…
thanks for your article, anyway.
Pingback: SSH, OpenSSH « Eikonal Blog