Recently, a need to utilize rsync to synchronize various FreeBSD configuration files to a FreeBSD shell account at our BSD-based hosting services company necessitated this post to document the basic setup and configuration.
Rsync is normally used to synchronize files and directories between two systems. In our setup, key-based authentication is utilized instead of using passwords. Additionally, crontab setup for continuous synchronization is demonstrated.
Root access to a FreeBSD Server to act as the client and a FreeBSD shell account to act as the repository of file synchronization are required. A FreeBSD shell account is simply a user account on a remote FreeBSD Server which give access to a shell via SSH. Additionally, the FreeBSD Server requires rsync installed and configured as a client.
SSH Client Login:
On the FreeBSD Server, login as root via the console:
FreeBSD/amd64 (bsd220.loga.us) (ttyv0) login: root Password:XXXXXXXX .............. root@bsd220:~ #
Next, from the FreeBSD Server root console, SSH into the FreeBSD shell account, in our case [firstname.lastname@example.org]:
root@bsd220:~ # ssh email@example.com Password for firstname.lastname@example.org .............. [shelluser@backup ~]$
Installing Rsync as a Client:
Use pkg to install rsync on the FreeBSD server:
The FreeBSD server will act as the client to the FreeBSD shell account machine, therefore, rsync installation is required. No configuration is necessary since it will be utilized as a client.
root@bsd220:/ # pkg install rsync Updating poudriere repository catalogue... poudriere repository is up-to-date. All repositories are up-to-date. The following 2 package(s) will be affected (of 0 checked): New packages to be INSTALLED: rsync: 3.1.2_6 libiconv: 1.14_10 Number of packages to be installed: 2 The process will require 3 MiB more space. 881 KiB to be downloaded. Proceed with this action? [y/N]: y Fetching rsync-3.1.2_6.txz: 100% 288 KiB 294.5kB/s 00:01 Fetching libiconv-1.14_10.txz: 100% 594 KiB 607.9kB/s 00:01 Checking integrity... done (0 conflicting) [1/2] Installing libiconv-1.14_10... [1/2] Extracting libiconv-1.14_10: 100% [2/2] Installing rsync-3.1.2_6... [2/2] Extracting rsync-3.1.2_6: 100% root@bsd220:/ #
Generate RSA Authentication Keys:
The first operation is to generate the key on the client machine, your FreeBSD Server, by running the following command:
When you see ‘Enter passphrase (empty for not passphrase):’ Just hit the enter key then the confirmation ‘Enter same passphrase again:’ is displayed. Again, just hit the enter key. In short order, the output from the command should give you an similar output as shown below:
# ssh-keygen -t rsa -b 4096 -C "bsd220.loga.us" Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Enter passphrase (empty for no passphrase. Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: SHA256:54Xm9Uvtv6H4NOo6yjP/YCfODryvUU7yWHzMqeXwhq8 email@example.com The key's random art image is: +---[RSA 4096]----+ | | | | | | | . o.. | | .S*+*o | | . O=Oo . . | | = Oo= oo..| | .oB.* +.oo.| | =OE**.o..=| +----[SHA256]-----+
Additional information about the above command:
- ‘ssh-keygen -t rsa’ invokes the ssh-keygen utility to create an rsa protocol version 2 authentication key.
- ‘-b 4096’ specifies the number of bits in the key to create. 2048 is general considered sufficient, but 4096 bits provides additional security.
- ‘-C “bsd220.loga.us”‘ provides a comment making key identification easier.
- No passphrase is utilized.
- Keys are stored in root’s .ssh directory
- For additional information, please review the man page for ssh-keygen.
SCP Authentication Keys:
Next, use scp to securely copy the file .ssh/id_rsa.pub from the FreeBSD Server to the FreeBSD shell account machine.
# scp .ssh/id_rsa.pub firstname.lastname@example.org:.ssh/authorized_keys
After the scp command is issued the following output is observed:
id_rsa.pub 100% 740 0.7KB/s 00:00
Additional information about the above commands:
- Private key is stored in ~/.ssh/id_rsa on the FreeBSD Server
- Public key is stored in ~/.ssh/id_rsa.pub on the FreeBSD Server
- The public key must be copied from the FreeBSD Server to ~/.ssh/authorized_keys file on the remote machine, the FreeBSD shell account, for key-based authentication to work.
Verify Key-Based Authentication
To determine if the key works, from the FreeBSD Server root console, SSH into the FreeBSD shell account, in our case, [email@example.com] and verify login occurs without a password prompt.
root@bsd220:~ # ssh firstname.lastname@example.org .............. [shelluser@backup ~]$
Initiating the rsync command everyday at 0900 and syncing the local user download folder from the FreeBSD Server to the remote shell account, add the following to crontab -e.
# Backup every day - /usr/home/user/download 00 09 * * * /usr/local/bin/rsync -avz --delete /usr/home/user/download -e ssh email@example.com:/home/shelluser/ >> /dev/null 2>&1
Additional information about the above command:
- 00 and 09 represent the minute and hour respectively.
- -avz represents archive, verbose, and compression respectively.
- –delete deletes extraneous files from the destination directory.
- -e specifies the remote shell to use – ssh
- /dev/null 2>&1 keeps crontab quiet
Rsync is a powerful utility when combined with SSH. Key-Based Authentication aids in the management of rsync so passwords are not required. With crontab, a schedule of synchronization of files between two machines is possible and pragmatically a necessity.
FreeBSD man pages: man ssh-keygen, man ssh, man crontab
Rsync Home Page: https://rsync.samba.org