[Box Backup] Tunneling TLS through SSH?

Ben Summers boxbackup@fluffy.co.uk
Sat, 20 May 2006 11:35:11 +0100 

On 19 May 2006, at 22:27, E.W. Peter Jalajas wrote:

> --- Magnus Homann <magnus@homann.se> wrote:
>
>> E.W. Peter Jalajas wrote:
>>> Hi Magnus,
>>>
>>> Do these pages help?:
>>> http://www.rzg.mpg.de/networking/tunnelling.html
>>> http://hacks.oreilly.com/pub/h/66
>>
>> Thanks, I've tried most of that already.
>>
>> I started with setying up client and server on the same machine, and
>> then copying the bbstored files to anothe machine, and also copied
>> the
>> bbstored certificates. I guess this should work, the certificates are
>>
>> not connected to the hostname, right?
>
> I believe that is correct, but someone else on the list should verify.
> It is the contents of the digital keys that need to connect.
>
> You'd of course have to install the matching version of bbstored on  
> the
> other machine, including what'll probably be essentially a completely
> new /etc/box/bbstored.conf.  You'd also of course have to modify the
> client /etc/box/bbackud.conf to point to the other machine by the
> correct name.  And your dns, routing (including port forwarding), and
> firewalls would all have to be configured correctly.  And probably
> other things that I'm forgetting at the moment.

It's just a TCP/IP connection on port 2201. No magic, not trickyness.

I suggest the following approach:

* Configure the server as normal, except use 'localhost' as the  
address for bbstored-config

* Configure the client as normal, except use 'localhost' as the  
address of the server in bbackupd-config

* Use ssh to tunnel with appropriate users and keys set up. Note that  
the ssh user does not have to be the same one as bbstored is running  
under, it just needs to be able to make a TCP/IP connection to port  
2201 on localhost.

     ssh -L 2201:servers-real-address:2201 user@servers-real-address

* You'll need to make sure that the tunnel is open when bbackupd  
wants to connect. May I suggest a cunning script using the  
SyncAllowScript, which is always run just before a sync starts by  
bbackupd.

I suspect people are assuming it's more complex than it actually is.

Ben