Is it possible to use replication with a standard user?
The documentation hints that is possible but I failed to achieve the desired result.
I followed the instructions but replication fails and I cannot even succeed with the SSH test from the local to the remote system (documentation refers to the local as push ).
I managed to pass the ssh test only changing the permissions on /data/ssh/replication because the standard user can't even read the private key, it makes sense but I'm just trying to understand what I'm doing wrong, but then FreeNas complains about the permissions on /data/ssh/replication
The last thing I tried was a different certificate but while I can connect through ssh to the remote system without being prompted for a password I am still unable to replicate to the remote system.
ssh with certificate fails
check on file permission
change permission
ssh again (success)
but FreeNas complains
restore permission
Should I try a different certificate?
Still something wrong
The documentation hints that is possible but I failed to achieve the desired result.
(http://doc.freenas.org/index.php/Replication_Tasks)Go to PULL and click Account → Users → View Users. Click the Modify User button for the user account you will be using for replication (by default this is the root user).
I followed the instructions but replication fails and I cannot even succeed with the SSH test from the local to the remote system (documentation refers to the local as push ).
I managed to pass the ssh test only changing the permissions on /data/ssh/replication because the standard user can't even read the private key, it makes sense but I'm just trying to understand what I'm doing wrong, but then FreeNas complains about the permissions on /data/ssh/replication
The last thing I tried was a different certificate but while I can connect through ssh to the remote system without being prompted for a password I am still unable to replicate to the remote system.
ssh with certificate fails
[replicone@ClientNAS /]$ ssh -v -i /data/ssh/replication 192.168.12.90
OpenSSH_6.2p2, OpenSSL 0.9.8y 5 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 192.168.12.90 [192.168.12.90] port 22.
debug1: Connection established.
debug1: identity file /data/ssh/replication type 1
debug1: identity file /data/ssh/replication-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2_hpn13v11 FreeBSD-20130515
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2_hpn13v11 FreeBSD-20130515
debug1: match: OpenSSH_6.2_hpn13v11 FreeBSD-20130515 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA ea:39:d4:40:63:88:04:01:d2:f1:df:7d:3f:de:67:ad
debug1: Host '192.168.12.90' is known and matches the ECDSA host key.
debug1: Found key in /etc/ssh/ssh_known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /data/ssh/replication
debug1: Server accepts key: pkalg ssh-rsa blen 279
*debug1: could not open key file '/data/ssh/replication': Permission denied
debug1: Next authentication method: password
replicone@192.168.12.90's password:
check on file permission
[replicone@ClientNAS /]$ ls -lg /data/ssh/replication
-rw------- 1 root wheel 1679 Jun 1 22:44 /data/ssh/replication
[replicone@ClientNAS /]$ cat /data/ssh/replication
cat: /data/ssh/replication: Permission denied
change permission
[replicone@ClientNAS ~]$ sudo chmod g+r /data/ssh/replication
Password:
[replicone@ClientNAS ~]$ ls -lg /data/ssh/replication
-rw-r----- 1 root wheel 1679 Jun 1 22:44 /data/ssh/replication
[replicone@ClientNAS ~]$ cat /data/ssh/replication
-----BEGIN RSA PRIVATE KEY-----
bla bla bla
ssh again (success)
[replicone@ClientNAS ~]$ ssh -v -i /data/ssh/replication 192.168.12.90
OpenSSH_6.2p2, OpenSSL 0.9.8y 5 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 192.168.12.90 [192.168.12.90] port 22.
debug1: Connection established.
debug1: identity file /data/ssh/replication type 1
debug1: identity file /data/ssh/replication-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2_hpn13v11 FreeBSD-20130515
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2_hpn13v11 FreeBSD-20130515
debug1: match: OpenSSH_6.2_hpn13v11 FreeBSD-20130515 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA ea:39:d4:40:63:88:04:01:d2:f1:df:7d:3f:de:67:ad
debug1: Host '192.168.12.90' is known and matches the ECDSA host key.
debug1: Found key in /etc/ssh/ssh_known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /data/ssh/replication
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: read PEM private key done: type RSA
*debug1: Authentication succeeded (publickey).
*Authenticated to 192.168.12.90 ([192.168.12.90]:22).
debug1: Final hpn_buffer_size = 2097152
debug1: HPN Disabled: 0, HPN Buffer Size: 2097152
debug1: channel 0: new [client-session]
debug1: Enabled Dynamic Window Scaling
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
Last login: Sat Jun 21 09:29:16 2014 from 192.168.12.91
FreeBSD 9.2-RELEASE-p4 (FREENAS.amd64) #0 r262572+17a4d3d: Wed Apr 23 10:09:38 PDT 2014
FreeNAS (c) 2009-2014, The FreeNAS Development Team
All rights reserved.
FreeNAS is released under the modified BSD license.
For more information, documentation, help or support, go here:
http://freenas.org
Welcome to FreeNAS
[replicone@ServerNAS ~]$
but FreeNas complains
CRITICAL: Replication zuppa/samba -> 192.168.12.90 failed: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0640 for '/data/ssh/replication' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. bad permissions: ignore key: /data/ssh/replication Permission denied (publickey,password).
restore permission
sudo chmod g-r /data/ssh/replication
Should I try a different certificate?
[replicone@ClientNAS ~]$ cd .ssh/
[replicone@ClientNAS ~/.ssh]$ ls
[replicone@ClientNAS ~/.ssh]$ cd ..
[replicone@ClientNAS ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/mnt/zuppa/home/replicone/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /mnt/zuppa/home/replicone/.ssh/id_rsa.
Your public key has been saved in /mnt/zuppa/home/replicone/.ssh/id_rsa.pub.
The key fingerprint is:
0a:06:b3:11:e4:25:72:82:59:4e:96:11:44:3b:4a:a3 replicone@ClientNAS.local
The key's randomart image is:
+--[ RSA 2048]----+
|+*&+. |
|oO.= |
| oO |
|o..* |
|E . o S |
| . . . |
| . |
| |
| |
+-----------------+
[replicone@ClientNAS ~]$ ls .ssh/
id_rsa id_rsa.pub
[replicone@ClientNAS ~]$ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDD6MAtjFgPwAe2UsUf5Xe3r0RpVAmVsD+7l1YjUE0CjcNF8WUZkz1T0ZYLEXfOUI9nCiRI5KEVC7Fhd/X/kUFmoLa2aXYXXmMWSQhk78lZ67OWvOG29IF+e5YNiiglKntIGRPpyq8eUFkxLk/UMKuBGtfhsreuFjnnE8NzZDOSCxBNkDahOfY6y1QonSq/Uh/wE+r+L0V39YeDc/UPnVMHyMARAyJ5GaIxaPz801LwaYQiUn9MEN7pp2UpK8TUKIgsRL60YjrBs8UzZjlaeYIsqVHl25gMeXWKzdVky+ThEDVYUumZNZNcOhUsFW2nG/A3KSscEqRyl3KjqEbUg9bB replicone@ClientNAS.local
[replicone@ClientNAS ~]$ ssh -i ~/.ssh/id_rsa 192.168.12.90
Last login: Sat Jun 21 09:32:21 2014 from 192.168.12.91
FreeBSD 9.2-RELEASE-p4 (FREENAS.amd64) #0 r262572+17a4d3d: Wed Apr 23 10:09:38 PDT 2014
FreeNAS (c) 2009-2014, The FreeNAS Development Team
All rights reserved.
FreeNAS is released under the modified BSD license.
For more information, documentation, help or support, go here:
http://freenas.org
Welcome to FreeNAS
[replicone@ServerNAS ~]$
Still something wrong
CRITICAL: Replication zuppa/samba -> 192.168.12.90 failed: cannot receive new filesystem stream: permission denied