Backup to SCP server

[gregmcc]

I am trying to setup the backup schedule to backup to a SCP server (Suse 10) from my NGX62 splat server.

The backups keep failing - I've checked the messages file on the suse server and see:

Mar 18 10:06:09 xxxx sshd[6166]: error: PAM: Authentication failure for username from x.x.x.x

If I do a manual scp command using the same credentials I can copy files to the server.

Any idea why it doesnt work through the GUI?

[melipla]

I've had similar difficulties using the web gui for configuring a scheduled backup. Try using the command line utility "backup" to configure:

# backup --help
usage:
backup [-h] [-d] [-l] [--purge DAYS] [--sched [on hh:mm <-m DayOfMonth> | <-w DaysOfWeek>] | off] [--tftp <ServerIP> [-path <Path>] [<Filename>]]
[--scp <ServerIP> <Username> <Password> [-path <Path>] [<Filename>]]
[--file [-path <Path>] [<Filename>]]


where:
-d Show debug messages
-l, --logs Back up log files
-h, --help Show this help information
-t, --tftp Transfer backup package to TFTP server
-s, --scp Transfer backup package to SCP server
-f, --file Specify local backup package filename
-e, --sched Configure scheduled backup operation
-p, --purge Purge local backup packages older than DAYS

and check out /var/CPbackup/conf/backup_sched.conf

[gregmcc]

thanks - i'll give that a shot and let you know what happens :)

[gregmcc]

Still can't seem to get it to work.

I've tried the following:

backup -d --sched on 15:25 -m 13 --scp 10.1.2.3 test test

When the job runs on my scp server I see:
error: PAM: Authentication failure for test from server

[gregmcc]

I've tried a few more things but still cannot get it going.
Can someone please confirm a few things. I've looked at the backup_sched.conf

Is the password stored under SCP_PASSWORD encrypted. If I schedule the back up the password I entered appears garbled in the file?

Not sure if its a bug but when I run"
backup -d --scp 10.1.7.244 checkpoint checkpoint" the credentials is tries to logon to the scp server with are retrieved from the above .conf file and not as per the command line???

This is driving me crazy - can someone please post their command line they are using and maybe their .conf file as well.

[melipla]

Quote:

Originally Posted by gregmcc

Is the password stored under SCP_PASSWORD encrypted. If I schedule the back up the password I entered appears garbled in the file?

Yes, that is correct.

Quote:

Not sure if its a bug but when I run"
backup -d --scp 10.1.7.244 checkpoint checkpoint" the credentials is tries to logon to the scp server with are retrieved from the above .conf file and not as per the command line???

More like "bad documentation"--some Check Point commands are more of a either or type. Either you use the -d option or you use --scp, you cannot combine the two [I think that's why they're on seperate lines when you do a --help]. You're using the login information from the conf file because that's what option -d invokes.

Quote:

This is driving me crazy - can someone please post their command line they are using and maybe their .conf file as well.

Backup.conf file is pretty straighforward:

Quote:

[/var//CPbackup/conf]# cat backup_sched.conf
STORAGE=SCP
FILE_NAME=cpbackup_`date +%M`m.tgz
TFTP=
SCP=10.1.1.1
SCP_USER_NAME=backupusername
SCP_PASSWORD=encryptedbackuppass
SCHEDULER=ENABLED
BACKUP_LOGFILES=NO
START_HOUR=10
START_MINUTE=10
DAILY=FALSE
PER_DAYS=1
LAST_SUCCEEDED_BACKUP=11234234
LAST_SUCCEEDED_BACKUP_LOCAL=11234234
WEEK_DAYS=2

Naturally I editted it but you should get the jist. I will say that this error:

Quote:

Mar 18 10:06:09 xxxx sshd[6166]: error: PAM: Authentication failure for username from x.x.x.x

Points to a problem on your ssh server. Either you need to allow SSH logins from your checkpoint IP or you're using the wrong username and password. It's not an error with your backup config--its an error with your ssh server. Check your /var/log/messages on the ssh server. At the very least, ensure you can login with "ssh <backup_user>@<backup_server_ip>" from your CP system.

HTH

[gregmcc]

Thanks for the tips.

Still no luck though :(

From the CP console I can ssh to my remote box - works fine.

If I run "backup --scp 10.1.7.244 checkpoint checkpoint" the backup program starts and asks me for the password again and then successfully dumps to file to the remote ssh server.

If I run it via the scheduler it still fails with the same "pam authentication error" - i don't think its the ssh server as I can ssh to it and the backup program without the scheduler seems to work.

[melipla]

Quote:

Originally Posted by gregmcc

If I run "backup --scp 10.1.7.244 checkpoint checkpoint" the backup program starts and asks me for the password again and then successfully dumps to file to the remote ssh server.

If I run it via the scheduler it still fails with the same "pam authentication error" - i don't think its the ssh server as I can ssh to it and the backup program without the scheduler seems to work.

If you're receiving a "pam authentication error" then your password authentication is failing. PAM is the secondary authentication method, a password is the primary. If the primary authentication method fails to authenticate you, then the secondary authentication method will be attempted. I'm guessing you haven't actually set up your server to authenticate via PAM and that is why you're seeing the PAM error. You WILL NOT see an error for your incorrect / mistyped password.

FYI I tried this from my R65 and R60 splat and was not prompted for a password in either scenario...

Quote:

[Expert@cpmodule]# backup --scp 10.1.1.1 backuser backpass
Are you sure you want to proceed (y/n) [y]? y

Creating backup package...
Done
Transferring the backup package...
Done
[Expert@cpmodule]# backup --scp 10.1.1.1 backuser wrongpass
Are you sure you want to proceed (y/n) [y]?

Creating backup package...
Done
Transferring the backup package...
Failed to transfer the package to the remote servers: 10.1.1.1

[Expert@cpmodule]#

[dsb.nepo]

maybe this solves your problem, it works for me.

at the target machine:
create a new user SplatBackup
cd ~SplatBackup
mkdir ~SplatBackup/.ssh
chown -r SplatBackup ~SplatBackup/.ssh
chgroup -r SplatBackup ~SplatBackup/.ssh

at the fwmgmt (loged in as expert):
copy the public root ssh key from the fwmgmt to the TargetMachine
scp /root/.ssh/id_(rsa|dsa).pub SplatBackup@TargetMachine:.ssh/id_fwmgmt.pub

at the target machine:
su - SplatBackup
cd ~/.ssh/
cat id_fwmgmt.pub >> ~/.ssh/authorized_keys


Now the backup works from the web interface even when sceduled.
The password for the backupuser at the fwmgmt can be anything but not empty, auth is done via the public key.

[gregmcc]

dsp.nepo - thanks a ton. I've followed what you suggested and it worked first time! :)