SSH from OMV to RaspberryPi - Non Root User

keeks12 · 27. Februar 2021

Hello all,

I am looking for some help setting up SSH from my OMV server to a remote raspberry pi to use borgbackup. Currently I am able to reach the remote raspberry pi via VPN (wireguard) and can ssh in via the OMV root user (used root public keys).

I would like to automate remote backups via borgbackup (following this guide [How-To] Make backups with Borg using borgbackup plugin) and I have setup ssh via the OMV root user to the pi.

What I am not sure of is if this poses a security issue and if I should be SSH'ing with one of the normal users I have setup on the OMV server? If so, how do you generate keys for a normal SSH user on OMV? Do I need to create a /home directory for the user to do so?

Thank you in advance for any and all help.

keeks12

KM0201 · 27. Februar 2021

1. I may be in the minority, but in my opinion, yes. For me it's very simple, 2 passwords is harder to crack than 1. I've not had root enabled SSH in years (also don't use sudo users on my server)

2. If you go this route, I'd recommend using home folders... but you don't have to. Only reason I do is because if I'm in some long path and I just want to reset my prompt... I just type cd and hit enter.. and it's good. If you don't have a home directory, you'll get a "no directory found" error (because it cd's to your home folder when you do that).. of course you can cd to a specific directory if you want. I do quite a bit in command prompt as a user, so I just found I preferred having a home directory.

1. Setup a Home folder if you desire in Shared Folders and add it under Users/Settings in the webUI

2. Create a user in the webUI, add said user to SSH group... save.

3. SSH as new user as the first time, and a new key will be created for this user. Also if you're planning to go this route, don't forget to disable root SSH access under SSH in the webUI.. then restart the SSH server.

keeks12 · 27. Februar 2021

Very helpful & I appreciate the response! A couple more questions (if you don't mind):

1. I have the OS drive on a flash drive & two HDDs for data where the sharedfolders live. Would it be a better option to put a users home folder on the OS drive as opposed to a sharedfolder on one of the HDDs in case something happens to one of the drives? (I have tested this prior and it "locks up" throws errors if the /home folder is removed via removing one of the drives.

2. I might have miscommunicated (not sure if it matters though...) I have disabled ssh into the OMV server (and remote server for that matter) via root. What I am currently doing is ssh as the OMV ROOT (using the root public keys) to the remote server.The actual ssh login at the remote server is just a random user I created. What I was wondering is if doing this is a security issue? (OMV Root -> SSH -> Remote User)

Thank you!

KM0201 · 27. Februar 2021

The way omv is setup, you would have to put the home folders on your storage drives, since home directories by default are not created by the webui... Unless you create them via command line. Personally, I just put my home folders on the storage drives, and dont worry about it. I've never had issues with locking up, etc.

Sorry maybe I'm just dense but that second paragraph made no sense at all... So I can't really give you an answer there. My simple answer is.. don't try to reinvent the wheel. KISS principle is easy to follow here.

keeks12 · 27. Februar 2021

No, no you are not dense, if anyone it is most definitely me. I think what I am asking is maybe just strange or something that is unorthodox.

I'll try to explain one more time and if not its no worries, it is likely I am asking something that isn't correct. I think you have given me enough good info to get this done the KISS way. Okay here goes:

OMV server initiates an ssh session with another REMOTE server, using the OMV root public key stored on the remote server as an authorized key.

Essentially the OMV is using its root's public key to connect to the remote server, but still logging (ssh'ing) into the remote server as a user Ex: "ssh user1@192.168.2.20"

My question being - is it a security issue to store a root users ssh public key on a remote server and initiate an ssh session using it? Even the though the actual remote shell (ssh) is just a user on the remote server?

I appreciate your patience and response. Thank you so much.

KM0201 · 27. Februar 2021

Now I see what you're saying.

I guess in theory it could be... The big question for me is how much control you have over the remote server. I'm not a big fan of talking "server to server" (I think that's what you're saying).. if I don't have full control over both servers.

keeks12 · 28. Februar 2021

You are correct it’s server-to-server communication.

In this case the remote server is completely controlled by me (at a relatives house, behind a nat) so risk “should be” low. It just struck me as odd to be using the OMV root’s public key for ssh.

The only purpose for the server-to-server communication is for borgbackup, backing up the contents of my OMV server to a remote location.

KM0201 · 28. Februar 2021

Zitat von keeks12

You are correct it’s server-to-server communication.

In this case the remote server is completely controlled by me (at a relatives house, behind a nat) so risk “should be” low. It just struck me as odd to be using the OMV root’s public key for ssh.

The only purpose for the server-to-server communication is for borgbackup, backing up the contents of my OMV server to a remote location.

I guess I would only question if it was absolutely required to use root for that task.. (one wouldn't think so, but I don't use it)

keeks12 · 28. Februar 2021

I took your advice and created a sharedfolder on the data HDD and enabled user home directories on it. Generated ssh keys for a user, and everything is working good!

Appreciate the time and responses helping me sort this out. Thank you

SSH from OMV to RaspberryPi - Non Root User

keeks12 11. März 2021

keeks12 11. März 2021

Jetzt mitmachen!

Tags