HOWTO: Dirvish remote device setup

I set up my laptop to do Dirvish again tonight. I had forgotten how non-trivial the process is if you want to follow the security guidelines. Here's a brief tutorial. I'll assume you have a working local Dirvish install, and have backed up your local root partition using it. My system is running stock Debian everything, if that helps…

  1. Install the attached rsh-command shell script as /etc/dirvish/rsh-command. This will be critical in subsequent steps. Make a directory /var/log/dirvish for it to log into.
  2. Create an appropriate default.conf file in /etc/dirvish. See my attached bm-root-default.conf.bak for an example—name and edit it appropriately with your hostname instead of "bm".
  3. Make a directory in your backup space named "bm-root" or whatever your hostname is. Make a subdirectory called "dirvish". Copy the default.conf.bak file of the previous step to default.conf in the dirvish subdirectory.
  4. Go to the ~root/.ssh directory on the local machine. If it doesn't exist, create it with 0700 permissions. Run

    ssh-keygen -t dsa -f id-dsa-dirvish-bm-root

    This should yield two keyfiles in the .ssh directory.

  5. Using scp or similar, append id-dsa-dirvish-bm-root.pub to the end of ~root/.ssh/authorized_keys on the remote machine. Again, if directories and files don't exist, create them with appropriate permissions.
  6. Prepend the following text to the front of the public key just added to the remote authorized_keys file:
    command="???",,from="192.168.1.1",no-port-forwarding,no-X11-forwarding,no-agent-forwarding

    Do not add any newlines or other whitespace to the text. Replace 192.168.1.1 with the IP address of the local host. The next word after the text should be "ssh-dss".

  7. Run
    dirvish --init --vault bm-root

    on the local box. It will fail due to lack of permissions, but we need to run it anyway, as it will create a needed log file.

  8. Look at the last line in the just-created log file, /var/log/dirvish/rsh.log. Copy everything in the line from "rsync" to the end, then paste it over the "???" in the authorized_keys file created previously. This guarantees that this particular rsync command is the only thing that can ever be executed with this key.
  9. You should now be operational. If all has gone well, run
    dirvish --init --vault bm-root

    on the local box again and it should start up and back up the target partition.

Uggh. (B)