borg backup via ssh

  • so instead of using remote mount i will now use ssh

    i used this guide: [How-To] Make backups with Borg using borgbackup plugin

    so in the plugin i create an repro as the guide says



    yet i get an permission denied error

    Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C.UTF-8; export LANGUAGE=; export BORG_PASSPHRASE='H3rrm@nns3n'; export BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes; /usr/bin/borg init --encryption=keyfile 'Malcolm@100.121.165.103:/srv/mergerfs/Data/Malcolmbackup/Backup-Bo-OMV_NOVA' 2>&1' with exit code '2': Remote: Permission denied, please try again.

    Remote: Permission denied, please try again.

    Remote: Malcolm@100.121.165.103: Permission denied (publickey,password).

    Connection closed by remote host. Is borg working on the server?


    OMV\ExecException: Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C.UTF-8; export LANGUAGE=; export BORG_PASSPHRASE='H3rrm@nns3n'; export BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes; /usr/bin/borg init --encryption=keyfile 'Malcolm@100.121.165.103:/srv/mergerfs/Data/Malcolmbackup/Backup-Bo-OMV_NOVA' 2>&1' with exit code '2': Remote: Permission denied, please try again.

    Remote: Permission denied, please try again.

    Remote: Malcolm@100.121.165.103: Permission denied (publickey,password).

    Connection closed by remote host. Is borg working on the server? in /usr/share/php/openmediavault/system/process.inc:217

    Stack trace:

    #0 /usr/share/openmediavault/engined/rpc/borgbackup.inc(184): OMV\System\Process->execute(Array, 2)

    #1 [internal function]: OMVRpcServiceBorgBackup->setRepo(Array, Array)

    #2 /usr/share/php/openmediavault/rpc/serviceabstract.inc(123): call_user_func_array(Array, Array)

    #3 /usr/share/php/openmediavault/rpc/rpc.inc(86): OMV\Rpc\ServiceAbstract->callMethod('setRepo', Array, Array)

    #4 /usr/sbin/omv-engined(537): OMV\Rpc\Rpc::call('BorgBackup', 'setRepo', Array, Array, 1)

    #5 {main}



    could it be that the fingerprint is not stored? i said yes to this


    export BORG_RSH='ssh -i id_rsa'

    $ borg info 'ssh://Malcolm@100.121.165.103/./check'

    The authenticity of host '100.121.165.103 (100.121.165.103)' can't be established.

    ECDSA key fingerprint is SHA256:BY0ihb11wEwmhnpEwqpo/jgKKyS05lmWUsbTibTv8B8.

    Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

    Remote: Warning: Permanently added '100.121.165.103' (ECDSA) to the list of known hosts.

  • this part in the guide is not clear to me


    Borg (client) needs to know what SSH private key should be used when connecting to the server. Locate your key and execute

    Code

    Code
    export BORG_RSH='ssh -i /etc/ssh/my_secure_server_key'

    NOTE: This environment variable only applies to Borg, but if you want to do the same for standard SSH connections, create this file nano ~/.ssh/config and enter IdentityFile /etc/ssh/my_secure_server_key


    is that done from the client where i ssh in to the server as the user and then locate the keys? or how is that step done?


    • Borg installed on your server, Borg plugin installed on your OMV client

    i assume that since both server and client runs omv its enough to have the plugin installed on both


    • client-server connection with SSH key authentication

    with that is setting up ssh keys for the user on the server enough?


    You can try the Borg connection to your server by running a command that would check a repo

    Code

    Code
    borg info 'ssh://omv@acme.com:7290/./check'


    i get similar results:


    borg info 'ssh://Malcolm@100.121.165.103/./check'

    Malcolm@100.121.165.103's password:

    Repository ssh://Malcolm@100.121.165.103/./check does not exist.


    i have tried both ssh://Malcolm@100.121.165.103:/srv/mergerfs/Data/Malcolmbackup/ and Malcolm@100.121.165.103:/srv/mergerfs/Data/Malcolmbackup/

    first one gives location error and the other permission denied, i checked the user account on the server and password match and i have even entered the public key

  • I am the author of the guide, I'll try to help.


    NOTE: This environment variable only applies to Borg, but if you want to do the same for standard SSH connections, create this file nano ~/.ssh/config and enter IdentityFile /etc/ssh/my_secure_server_key


    is that done from the client where i ssh in to the server as the user and then locate the keys? or how is that step done?

    This is done on the server that is establishing the connection, not the target.

    with that is setting up ssh keys for the user on the server enough?

    You have to setup ssh passwordless authentication via certificate. It varies for each system and is not covered by the guide.

    You are missing this configuration:

    Once SSH authentication via certificate is working, you'll be fine.

    borg info 'ssh://Malcolm@100.121.165.103/./check'

    Malcolm@100.121.165.103's password:

    Repository ssh://Malcolm@100.121.165.103/./check does not exist.

    It must not ask for a password!

    Please try this guide or this guide.

    OMV BUILD - MY NAS KILLER - OMV 6.x + omvextrasorg (updated automatically every week)

    NAS Specs: Core i3-8300 - ASRock H370M-ITX/ac - 16GB RAM - Sandisk Ultra Flair 32GB (OMV), 256GB NVME SSD (Docker Apps), 2x16TB HDDs w/ SnapRAID - Fractal Design Node 304 - Be quiet! Pure Power 11 350W


    My all-in-one SnapRAID script!

  • You configure the client to accept passwordless authentication via a certificate, which you generate on the client.

    You copy the public key on the server

    From the server you connect to the client using such key.

    OMV BUILD - MY NAS KILLER - OMV 6.x + omvextrasorg (updated automatically every week)

    NAS Specs: Core i3-8300 - ASRock H370M-ITX/ac - 16GB RAM - Sandisk Ultra Flair 32GB (OMV), 256GB NVME SSD (Docker Apps), 2x16TB HDDs w/ SnapRAID - Fractal Design Node 304 - Be quiet! Pure Power 11 350W


    My all-in-one SnapRAID script!

  • i think we confuse each other.... but then again both machines will act as both server an client in that they will send backups to each other

    on 1921.68.0.163 user Malcolm have created keys that now needs to be copied to 100.115.138.73 under the user malcolm (lower case m in this case

    that did not go as well


    $ ssh-copy-id -p 2022 malcolm@100.115.138.73

    /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/srv/mergerfs/Data/homedir/Malcolm/.ssh/id_rsa.pub"

    The authenticity of host '[100.115.138.73]:2022 ([100.115.138.73]:2022)' can't be established.

    ECDSA key fingerprint is SHA256:cPpquPp2goH873tQwW0+6CDMU2+9LfDzf5O3Y3Ti6QE.

    Are you sure you want to continue connecting (yes/no/[fingerprint])? ^C

    $ ssh-copy-id -p 2022 malcolm@100.115.138.73

    /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/srv/mergerfs/Data/homedir/Malcolm/.ssh/id_rsa.pub"

    The authenticity of host '[100.115.138.73]:2022 ([100.115.138.73]:2022)' can't be established.

    ECDSA key fingerprint is SHA256:cPpquPp2goH873tQwW0+6CDMU2+9LfDzf5O3Y3Ti6QE.

    Are you sure you want to continue connecting (yes/no/[fingerprint])? SHA256:cPpquPp2goH873tQwW0+6CDMU2+9LfDzf5O3Y3Ti6QE

    /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

    /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

    malcolm@100.115.138.73's password:

    Permission denied, please try again.

    malcolm@100.115.138.73's password:

    Permission denied, please try again.

    malcolm@100.115.138.73's password:

    malcolm@100.115.138.73: Permission denied (publickey,password).

  • boelle I don't know what firewall/router your OMV sits behind. But by default ssh on OMV will listen to all incoming addresses not just the VPN connection. So unless someone knows different, you need ssh on remote OMV to only listen on you VPN connection for peace of mind.

  • I just wanted to alert you to a possible security issue here. I don't do any of this stuff myself and you have to get the ssh config 100% right or you risk locking yourself out. But it sounds like your firewall/router is blocking ssh connections outside of your VPN tunnel, something I assume you've tested.

  • You configure the client to accept passwordless authentication via a certificate, which you generate on the client.

    You copy the public key on the server

    From the server you connect to the client using such key.

    i still get the same issues

    i used this guide and it worked: https://linuxize.com/post/how-…p-passwordless-ssh-login/

    but when i try to create a borg repro i still get:


    Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C.UTF-8; export LANGUAGE=; export BORG_PASSPHRASE='H3rrm@nns3n'; export BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes; /usr/bin/borg init --encryption=keyfile 'Malcolm@100.121.165.103:/srv/mergerfs/Data/Malcolmbackup' 2>&1' with exit code '2': Remote: Permission denied, please try again.

    Remote: Permission denied, please try again.

    Remote: Malcolm@100.121.165.103: Permission denied (publickey,password).

    Connection closed by remote host. Is borg working on the server?


    OMV\ExecException: Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C.UTF-8; export LANGUAGE=; export BORG_PASSPHRASE='H3rrm@nns3n'; export BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes; /usr/bin/borg init --encryption=keyfile 'Malcolm@100.121.165.103:/srv/mergerfs/Data/Malcolmbackup' 2>&1' with exit code '2': Remote: Permission denied, please try again.

    Remote: Permission denied, please try again.

    Remote: Malcolm@100.121.165.103: Permission denied (publickey,password).

    Connection closed by remote host. Is borg working on the server? in /usr/share/php/openmediavault/system/process.inc:217

    Stack trace:

    #0 /usr/share/openmediavault/engined/rpc/borgbackup.inc(184): OMV\System\Process->execute(Array, 2)

    #1 [internal function]: OMVRpcServiceBorgBackup->setRepo(Array, Array)

    #2 /usr/share/php/openmediavault/rpc/serviceabstract.inc(123): call_user_func_array(Array, Array)

    #3 /usr/share/php/openmediavault/rpc/rpc.inc(86): OMV\Rpc\ServiceAbstract->callMethod('setRepo', Array, Array)

    #4 /usr/sbin/omv-engined(537): OMV\Rpc\Rpc::call('BorgBackup', 'setRepo', Array, Array, 1)

    #5 {main}



    100.121.165.103 is the server so i followed the guide 100%

  • on client i have 3 files



    on server only 1





    ssh works without password



    i did remeber to do export BORG_RSH='ssh -i id_rsa' on the client (novatech)




    it does not ask for password when i do borg info 'ssh://Malcolm@100.121.165.103/./check'


  • So everything is looking good, well done!

    Quote

    As per the guide: "check" is the backup repository - it does not exist but it’s needed to validate the SSH connection.


    You can go ahead.

    OMV BUILD - MY NAS KILLER - OMV 6.x + omvextrasorg (updated automatically every week)

    NAS Specs: Core i3-8300 - ASRock H370M-ITX/ac - 16GB RAM - Sandisk Ultra Flair 32GB (OMV), 256GB NVME SSD (Docker Apps), 2x16TB HDDs w/ SnapRAID - Fractal Design Node 304 - Be quiet! Pure Power 11 350W


    My all-in-one SnapRAID script!

  • You can go ahead.

    but when i try to create a borg repro i still get:



    Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C.UTF-8; export LANGUAGE=; export BORG_PASSPHRASE='H3rrm@nns3n'; export BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes; /usr/bin/borg init --encryption=keyfile 'Malcolm@100.121.165.103:/srv/mergerfs/Data/Malcolmbackup' 2>&1' with exit code '2': Remote: Permission denied, please try again.

    Remote: Permission denied, please try again.

    Remote: Malcolm@100.121.165.103: Permission denied (publickey,password).

    Connection closed by remote host. Is borg working on the server?


    OMV\ExecException: Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C.UTF-8; export LANGUAGE=; export BORG_PASSPHRASE='H3rrm@nns3n'; export BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes; /usr/bin/borg init --encryption=keyfile 'Malcolm@100.121.165.103:/srv/mergerfs/Data/Malcolmbackup' 2>&1' with exit code '2': Remote: Permission denied, please try again.

    Remote: Permission denied, please try again.

    Remote: Malcolm@100.121.165.103: Permission denied (publickey,password).

    Connection closed by remote host. Is borg working on the server? in /usr/share/php/openmediavault/system/process.inc:217

    Stack trace:

    #0 /usr/share/openmediavault/engined/rpc/borgbackup.inc(184): OMV\System\Process->execute(Array, 2)

    #1 [internal function]: OMVRpcServiceBorgBackup->setRepo(Array, Array)

    #2 /usr/share/php/openmediavault/rpc/serviceabstract.inc(123): call_user_func_array(Array, Array)

    #3 /usr/share/php/openmediavault/rpc/rpc.inc(86): OMV\Rpc\ServiceAbstract->callMethod('setRepo', Array, Array)

    #4 /usr/sbin/omv-engined(537): OMV\Rpc\Rpc::call('BorgBackup', 'setRepo', Array, Array, 1)

    #5 {main}

  • almost there

    Malcolm@100.121.165.103/srv/mergerfs/Data/homedir/Malcolm/Borgbackup/Backup-Bo-OMV_NOVA

    "A repository already exists"

    on 100.121.165.103 there are no folders


    root@bo-omv:/srv/mergerfs/Data/homedir/Malcolm/Borgbackup# ls

    root@bo-omv:/srv/mergerfs/Data/homedir/Malcolm/Borgbackup#

    if i skip init it says that the repro is not there


    "Repository /Malcolm@100.121.165.103/srv/mergerfs/Data/homedir/Malcolm/Borgbackup/Backup-Bo-OMV_NOVA does not exist."

  • @auanasgheps any idea what prevents me from getting to the finish line?

    Malcolm@100.121.165.103/srv/mergerfs/Data/homedir/Malcolm/Borgbackup/Backup-Bo-OMV_NOVA

    this is what i try now, the folder is empty


    root@bo-omv:/srv/mergerfs/Data/homedir/Malcolm/Borgbackup# ls

    root@bo-omv:/srv/mergerfs/Data/homedir/Malcolm/Borgbackup#


    but i get: A repository already exists at /Malcolm@100.121.165.103

  • You should slow down and read carefully.


    The guide says


    Quote

    Either way, the destination folder must not exist, Borg will create it upon initialization


    So, If you want to use /srv/mergerfs/Data/Malcolmbackup/Borgbackup, delete Borgbackup and try again.

    OMV BUILD - MY NAS KILLER - OMV 6.x + omvextrasorg (updated automatically every week)

    NAS Specs: Core i3-8300 - ASRock H370M-ITX/ac - 16GB RAM - Sandisk Ultra Flair 32GB (OMV), 256GB NVME SSD (Docker Apps), 2x16TB HDDs w/ SnapRAID - Fractal Design Node 304 - Be quiet! Pure Power 11 350W


    My all-in-one SnapRAID script!

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!