Configuring Rsync Server with SSH tunnel and cert

1. offizieller Beitrag

    I'm trying to set up omv to be an Rsync server and have for security an SSH tunnel with certificate authentication. This is a must because password authentication is sent in the clear otherwise.


    Nightmare. No ofense but the omv GUI is confusing as hell. Is this even possible with OMV?
    This is a basic nas must have... doesn't seem too obvious via omv GUI.


    How can I set up omv rsync server to work over certificate autheticated ssh?
    Step-by-step instructions would be nice.


    I ask for step-by-step because the gui has too many conflicting places to set what seems to be the same thing but perhaps not.
    For example, I click Rsync-server-modules-add.


    Now i see General page
    there I see User (Description: This option specifies the user name that file transfers to and from that module should take place.)
    So I select RsyncBackup in the drop down menu... I made this user already in omv main GUI users place.
    However, after configuring everything else in General tab, I can't press save.
    Next to general tab I see another tab called "Users". Ahhh... ok... wth... I already added a user on the previous tab. Confusing.
    So I click that Users tab, in drop down I see RsyncBackup. Great, I select it. Guess what? Can't save again because apperently I need to overwrite the already assigned password for the RsyncBackup user. Why? I already gave RsyncBackup a password when I made him. So is RsyncBackup going to have a diff password for Rsync than in general? Confusing. Conflicting. Buggy. omv is riddled with frustrating things like this.


    A good clear step-by-step guide would be greatly appreciated for getting such a basic backup setup working with omv.


    Also, I should add that it isn't a great thing that when I try to search the forum for "backup" or "rsync", I get a too general search term error.


    Cheers.

    • Offizieller Beitrag

    You are on a role today about all the things OMV is lacking...


    You can use rsync over ssh easily. Enable ssh and rsync servers. That's it. There is no setup necessary.


    rsync -avz -e ssh remoteuser@remotehost:/remote/dir /this/dir/


    The password is sent over ssh. So, it is encrypted if you don't want to use certs.

    omv 7.0.5-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.13 | compose 7.1.4 | k8s 7.1.0-3 | cputemp 7.0.1 | mergerfs 7.0.4


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    Zitat von "k567890"

    [...]This is a must because password authentication is sent in the clear otherwise.[...]


    So, SSH does send passwords in cleartext? Tell me more about that.


    Greetings
    David

    "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"


    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

    Upload Logfile via WebGUI/CLI
    #openmediavault on freenode IRC | German & English | GMT+1
    Absolutely no Support via PM!

    • Offizieller Beitrag
    Zitat von "davidh2k"

    So, SSH does send passwords in cleartext? Tell me more about that.


    Maybe clear text over an encrypted stream :)

    omv 7.0.5-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.13 | compose 7.1.4 | k8s 7.1.0-3 | cputemp 7.0.1 | mergerfs 7.0.4


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    That is not what i said.


    Rsync works on the client server model. Rsync clients can send data to Rsync servers. Rsync allows you to set a share folder (they call it path), and also allows you to set users and passwords in its config file.


    When an Rsync client talks to an Rsync server, the username and password is sent in clear text and so is the data.


    For this reasson it is recommended that one does no use Rsync authentication scheme but instead use Rsync servers via ssh. That is what I said.


    Thank you for you answers. I'm still a little confused though.


    I want to use SSH with a cert. How do I set that up in omv? Where do I add the rsa cert in omv and make ssh use that cert?


    I see that there is a System--Certificates feature.
    What is this?
    If I add a cert here will SSH use it auto? If not, how do I set SSH to use a cert?


    At Services--SSH
    There is no way to select if ssh uses a cert and if so which cert it will use.

    You don't need your own certs or keys for the encryption to work. When you first use putty don't you see it makes you accept the default cert that was setup. Your putty client is downloading the cert to do encryption before you login. You can use your own certs and keys. There are plenty guides on how to do that on the internet. Search google.

    I know how to set up certs for ssh in linux. My question is about omv. You guys are always saying you want omv features to be configured via web interface. Well, that is what I am asking. How do I configure ssh in omv web interface to use a cert? There are no guides for this I looked.


    I see you have a System--certificates page in web gui. What is for and how does it relate to ssh?

    Ahh. Excellent.


    So, just to be clear, can you please confirm these 4 points?


    (A) Certs added at System--Certificates
    is only for ssh.
    (B) Even though the web gui lets you add more than one cert at System--Certificates
    you shoud never add more than one because you have only 1 ssh in omv and if you add multiple certificates ssh wouldn't know which to use due to not having a way to configure this in web gui
    (C) By adding my own cert at System-Certificates
    I do not have to manually configure anything else (like adding.configuring manually in debian authorized_keys) and omv ssh will use my cert for ssh authentication and data encryption and it will not use any other cert (ex. the one that came with omv when I downloaded it).
    (D) OMV only needs my public rsa key.

    The system certs area is to create a cert so you can use ssl. If you enable ssl at System/General Settings/Secure Connection by putting a check in the enable secure connection, then choose one of the certs you created in the web-gui in the drop down section and also put a check in "force secure connection only" your userid and pass will not be in the clear when you sign into omv. There are other plugins which can use ssl too. They can use the same cert as the omv web-gui. The ssl certs are saved at /etc/ssl


    SSH certs are seperate and not created in the web-gui. When you install omv the certs/keys are auto created for ssh and saved at /etc/ssh.


    PS- if you do not know when you use http to sign into a site it is not secure. When you see https it is using ssl and is secure, id and passes not in the clear.

    OK, excellent. Thank you for your help and patience so far.


    I did as you say and now I can axs the web gui via ssl. However, this wasn't quite what I was after. Never the less, it is nice to have and know.


    Hang in with me just a bit more... Here is what I really want to know.


    What about Services--SSH ???


    I have no way to select a cert for that in web gui.


    That is what would be used durring Rsync session, no?
    Because that is the SSH server, right?
    So what certificate will that use?
    How can I make that use my certificate?

    It will use one that was auto created when you installed OMV. It is safe and unique. No one else has the same as your OMV. There is really no need to change it.


    Yes, if you know how to tunnel via ssh anything being tunneled is secure and encrypted. I have full desktop and I tunnel my vnc through ssh so it is secure.

    So you are using a .4 vm. Yes, those are not unique. Everyone using would have the same certs/keys. That is bad but those vms are for evaluating/testing OMV.


    I would recommend installing a .5 from scratch. Unless you want some of the plugins from .4 that are not ports to .5 OMV. But I would still install from scratch and do all upgrades to a .4 OMV vm.

    There is no way to change ssh keys via the web-gui. But there is a command you can enter that will renew/change the keys and then they would be unique. The command is somehwere in the OMV blog.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!

Benutzerkonto erstellen Anmelden