#1 2019-07-15 00:05:18

herrep
Member
From: Munich
Registered: 2019-07-08
Posts: 16

Permission denied with --backup-point=IP:PORT: - manual login ok

Hi,

From another post I learned that backup speed of xsibackup could be increased if the backup destination is addressed via SSH rather than via NFS.

Therefore, I added the provided xsibackup public key to the authorized_keys of the backup destination system at the appropriate backup user.

Additionally, I ran ./xsibackup --link-srv=<ip_backup>:<port_backup> --backup-as=<user_backup> which caused the following output:

The local RSA key has already been added to the authorized_keys file at <ip_backup>:<port_backup>.
There is no need to add it again, you should be able to connect with XSIBackup to <ip_backup>:<port_backup> without any password.

In my xsibackup command, I defined options --backup-as=<user_backup> --backup-point=<ip_backup>:<port_backup>:/path/to/backup/directory, but it failed:

2019-07-14T23:41:09|  Backup user is: backup
---------------------------------------------------------------------------------------------------------------------------------
2019-07-14T23:41:09|  Backup program is: onediff
---------------------------------------------------------------------------------------------------------------------------------
2019-07-14T23:41:11|  Remote OpenSSH version is: 7.4
---------------------------------------------------------------------------------------------------------------------------------
2019-07-14T23:41:11|  Negotiated Cipher (server->client): aes128-ctr
2019-07-14T23:41:11|  Negotiated Cipher (client->server): aes128-ctr
---------------------------------------------------------------------------------------------------------------------------------
2019-07-14T23:41:11|  Service OpenSSH ready at server <ip_backup>:<port_backup>
---------------------------------------------------------------------------------------------------------------------------------
2019-07-14T23:41:11|  Permission denied. Please use --link-srv=remote-IP:remote-port argument to exchange keys.
---------------------------------------------------------------------------------------------------------------------------------

In another try, I installed the private/public key provided with xsibackup also as the keys for ESXi root on the host where xsibackup is installed. I verified that I could login at the backup system as <backup_user> without entering any credentials.

I am stuck at the moment, as all my manual actions work to access the backup system as the backup user without entering any credentials.

Is there any hint, especially as how to debug?

Best regards,
Peter

Offline

#2 2019-07-15 10:59:37

admin
Administrator
Registered: 2017-04-21
Posts: 1,362

Re: Permission denied with --backup-point=IP:PORT: - manual login ok

Please read the manual, this forum can't act as a substitute for that.
You have a single line warning that is letting you know exactly what the issue is

Permission denied. Please use --link-srv=remote-IP:remote-port argument to exchange keys.

Run the --link-srv argument to make communication between both servers possible.

Offline

#3 2019-07-15 11:07:56

herrep
Member
From: Munich
Registered: 2019-07-08
Posts: 16

Re: Permission denied with --backup-point=IP:PORT: - manual login ok

Thank you very much for your quick reply. As already stated in my original post in the second and third paragraph, I already run the suggested command. Therefore, I wonder what I have missed from the manual, as I had already processed the allegedly missing step of your post:

I had already run ./xsibackup --link-srv=<ip_backup>:<port_backup> --backup-as=<user_backup> which caused the following output:

The local RSA key has already been added to the authorized_keys file at <ip_backup>:<port_backup>.
There is no need to add it again, you should be able to connect with XSIBackup to <ip_backup>:<port_backup> without any password.

Due to this output, I could not follow the manual further and, as a result, I wrote a post where I included all details what I have done so far to identify the problem. However, as ALL manual actions to access the backup destination worked fine, I had only the way to write a post. In particular, I can run ssh backup@<ip-address-backup-server> from the ESXi server with the same public key as stored in xsi-dir, and then I get immediate access without entering any credentials. Although authorized_keys at the destination backup system was already correctly setup, I nevertheless ran ./xsibackup --link-srv=<ip_backup>:<port_backup> --backup-as=<user_backup>, as I did not know which further tasks where included in this command. But I failed, and I could identify nothing in the manual that could help me to overcome the issue.

Offline

#4 2019-07-15 13:04:08

admin
Administrator
Registered: 2017-04-21
Posts: 1,362

Re: Permission denied with --backup-point=IP:PORT: - manual login ok

O.K., sorry about the "too quick" answer.

The initial premise is wrong, SSH won't be faster than NFS, unless you are connecting to a distant NFS server with high latency and you have configured NFS as syncronous.

You have no other choice than inspecting the authorized_keys file for that user manually, do so and reach as back.

Your XSIBACKUP public RSA key should appear at the bottom

Offline

#5 2019-07-15 13:34:45

herrep
Member
From: Munich
Registered: 2019-07-08
Posts: 16

Re: Permission denied with --backup-point=IP:PORT: - manual login ok

My xsibackup rsa key is appended to the authorized_key file by sure. As a further test, I used the xsibackup rsa key as key for the root user at my ESXi on which xsibackup is running and performed "ssh <user_backup>@<ip_backup>". I could login without entering any credentials. The question is how I can debug this scenario.

Offline

#6 2019-07-15 19:16:31

admin
Administrator
Registered: 2017-04-21
Posts: 1,362

Re: Permission denied with --backup-point=IP:PORT: - manual login ok

Well, we are still lacking some relevant info. What is the remote system you are backing up to?, is it Linux or ESXi.

If the remote System is ESXi you will need to configure a user that has all the appropiate rights on every of the files/folders implied in the backup process at the target, that is: read/write/create permissions on the target folder, which is a full privileged user on the target.

Same will happen on the target system if it's a Linux server.

The way to debug this is to run an SSH command that creates a file at your backup target folder and writes something to it. Enable ssh debugging and inspect the ssh client output.

ssh -vvv -p 22 -o PreferredAuthentications=publickey -o StrictHostKeyChecking=no -i xsibackup_id_rsa <user_backup>@<ip backup> "echo 'HI THERE' > /path/to/backup/directory/test_file.txt"

In any case if you performed this test with the root user and it succeded, then it means that your RSA public key was added to the root user authorized_keys file, and not to the backup user one. Each user has a separate authorized_keys file where public keys are stored for that user.

Offline

#7 2019-07-15 19:34:17

herrep
Member
From: Munich
Registered: 2019-07-08
Posts: 16

Re: Permission denied with --backup-point=IP:PORT: - manual login ok

Thank you very much for this test script. It showed me that the authorization was all right, but the path to the backup folder was wrong. However, after changing the backup folder to the right location where my backup user has indeed write access (verified by your script, the test file was created), the already reported error did not vanish:

2019-07-15T21:25:07|  Backup user is: backup
---------------------------------------------------------------------------------------------------------------------------------
2019-07-15T21:25:07|  Backup program is: onediff
---------------------------------------------------------------------------------------------------------------------------------
2019-07-15T21:25:09|  Remote OpenSSH version is: 7.4
---------------------------------------------------------------------------------------------------------------------------------
2019-07-15T21:25:09|  Negotiated Cipher (server->client): aes128-ctr
2019-07-15T21:25:09|  Negotiated Cipher (client->server): aes128-ctr
---------------------------------------------------------------------------------------------------------------------------------
2019-07-15T21:25:09|  Service OpenSSH ready at server 192.168.4.10:22
---------------------------------------------------------------------------------------------------------------------------------
2019-07-15T21:25:09|  Permission denied. Please use --link-srv=remote-IP:remote-port argument to exchange keys.
---------------------------------------------------------------------------------------------------------------------------------

As you know, the keys were already exchanged via link-srv.

Offline

#8 2019-07-16 09:01:32

admin
Administrator
Registered: 2017-04-21
Posts: 1,362

Re: Permission denied with --backup-point=IP:PORT: - manual login ok

This is the exact piece of code that raises your error at line 1366:

REMESXiVers="$( ( eval ssh "$SSHOPTS" -p "$baksrvport" ${defremusr}@"$baksrvaddr" "\"vmware -v | awk '{print \\\$3}'\"" ) 2>&1 )"

You can translate that to

ssh -o PreferredAuthentications=publickey -o StrictHostKeyChecking=no -i xsibackup_id_rsa -p 22 <user>@<ip backup> "vmware -v | awk '{print \$3}'"

Run it from your xsi-dir folder, in case you get the permission error, debug by adding -vvv after the ssh binary call.
In case you don't get a permission error, you will need to debug that line in the xsibackup file.

vmware -v should have execute permissions for your user

Offline

Board footer