Easy Rsync Remote Backups Using SSH Keys

Posted on March 19, 2008 by Michael Schurter

Rsync is an excellent file transfer utility thats especially well suited for backing up files over the Internet because it only transfers the data that has changed. A friend asked me how to set it up, so I thought I’d post what I sent him here.

Goal: Backup a directory from computer Zim to computer Ark

Details:

  • Both Zim and Ark are subdomains of example.com
  • The user on Ark which receives the backup files is named backupuser
  • The user on Zim with access to the files you want to backup is named steve

Prerequisites:

  • ssh installed on both hosts
  • rsync installed on both hosts
  1. Login to Zim via ssh: 
    ssh steve@zim.example.com
  2. Generate a ssh key pair using: 
    ssh-keygen -t rsa
<press enter when prompted where to save the key>
<press enter twice when asked for a passphrase>
  3. To use the key to login to Ark remotely without manually entering a password you need to copy the public key from Zim to Ark using: 
    ssh-copy-id -i .ssh/id_rsa.pub backupuser@ark.example.com

    If you don’t have ssh-copy-id on your system, get a new system. ;) If thats not possible you can download the script with:

    wget -O ssh-copy-id http://cvsweb.mindrot.org/index.cgi/~checkout~/openssh/contrib/ssh-copy-id?rev=1.6;content-type=text%2Fplain && chmod +x ssh-copy-id

    Then retry the above command only you’ll need to prepend a “./”:

    ./ssh-copy-id -i .ssh/id_rsa.pub backupuser@ark.example.com
  4. Verify the key copied properly by attempting to login to Ark. You should not be prompted for a password: 
    ssh backupuser@ark.example.com
  5. Logout of Ark. The key is setup, so you’re now ready to rsync files without having to manually enter a password.
  6. Test rsync by choosing a small file to backup and using: 
    rsync -tP /some/small/testfile backupuser@ark.example.com:/tmp

    A nice little progress bar should be displayed as the file is transferred. Confirm that “testfile” is now in /tmp on Ark.

  7. You’re finally ready to do a real rsync like: 
    rsync -t /directory/to/backup/* backupuser@ark.example.com:/existing/backup/directory

    Note: There are several useful options for rsync. Check man rsync to find out more.

    • -p — preserve permissions (useful for backups, use -E if you only care about the executable bit)
    • -r — recursively backup directories.
    • -z — compressed uncompressed files
    • And just FYI: -t tells rsync to use the last modified timestamp to determine whether or not to transfer files. It makes rsync a lot faster at determining whether or not files have changed.
  8. To schedule the backup to take place nightly at 1:13 AM edit your crontab using crontab -e and insert the following line: 
    13 1 * * * rsync -qt /directory/to/backup/* backupuser@ark.example.com:/existing/backup/directory

Caveats:

  • These instructions will push files from Zim to Ark. There’s no reason why Ark couldn’t pull files from Zim. In fact, this is often more secure if Zim is a web server with a larger attack surface than Ark. Mea culpa.
  • If the IP address of Ark is dynamic, use a service like dyndns.com. Otherwise SSH will give you errors.
  • Major security warning: If someone breaks into Zim, they can also delete all of your backups on Ark. Never ever ever use the root user for backups on Ark. You can use the root user on Zim to send the backups, but its best to have a special backup user setup on Ark to receive the backup.
This entry was posted in GNU/Linux, IT, Open Source, Technology and tagged , , , . Bookmark the permalink.
  • http://www.gresshosting.com John

    you need to limit what command is executed when sync without password, prefix the key with command=”/path/to/validating/script”.

    As an example, your secured authorized_keys file might look like:

    command=”/home/user/validate-rsync.sh” ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAyNChQxw/+Da….= user@remotehost.com

    Finally, put something like the following in your validate-rsync.sh file:

    #!/bin/sh
    case “$SSH_ORIGINAL_COMMAND” in
    *\&*)
    echo “Rejected”
    ;;
    *\;*)
    echo “Rejected”
    ;;
    rsync\ –server*)
    $SSH_ORIGINAL_COMMAND
    ;;
    *)
    echo “Rejected”
    ;;
    esac

    Make it executable by typing: chmod +x ~/validate-rsync.sh.

    This will check to see if the ssh session is being used to execute an rsync backup.

    If it is being used for anything else, the session will be rejected and closed.

    Nice tutorial bro… ;)

  • Vinay

    I want to do this remote rsync just one off to create a one time back up for a few days
    (need to preserve premissions and timings etc so using rsync)

    soo no ssh keys

    while specifying the remote directory i am giving as below

    I am trying the below commnad

    /software/rsync/usr/local/bin/rsync -rlptgov –rsync-path=/software/rsync/usr/local/bin/rsync –delete myUser@123.123.123.123 :/t1 t2

    Intending to copy from remote directory t1 to directory t2
    I am getting the below response
    receiving incremental file list
    rsync: change_dir#3 “123.123.123.123″ failed: No such file or directory (2)
    rsync error: errors selecting input/output files, dirs (code 3) at main.c(707) [sender=3.0.4]
    rsync: connection unexpectedly closed (9 bytes received so far) [receiver]
    rsync error: error in rsync protocol data stream (code 12) at io.c(632) [receiver=3.0.4]

    If you can kindly guide ?

  • Vinay

    just to add to my last query I am expecting to be prompted for password and that is also not coming.
    tried using rsync on both the machines locally and that is working.

  • http://www.serverschool.com/server-software/backup-rsync/ Backup Important Server Files with Rsync

    [...] order to have the process fully automated without having to manually login, you will need to setup SSH keys on your server and remote backup [...]

  • http://www.serverschool.com/server-configuration/using-rsync-as-a-backup-solution/ Using Rsync as a Backup Solution

    [...] solution is to setup password-less login with an SSH key. This will encrypt the sign in, but it does mean that a third party that gains access to your [...]