[Borgbackup] debugging BORG_PASSPHRASE issue (SOLVED)

Luc Maisonobe luc at spaceroots.org
Thu Feb 23 14:15:57 EST 2017 

Le 23/02/2017 à 19:03, Marian Beermann a écrit :
> On 23.02.2017 18:55, Luc Maisonobe wrote:
>> Is the passphrase somehow salted with user name or user id? I don't
>> think so because it works for other hosts which were also
>> created by their own super user.
>
> Nope, not salted / mixed with user IDs oder names.
>
> Other than that I don't have any ideas to contribute here right now.

OK, I have found the issue.
As I explained at the beginning, I have several hosts to backup, and
I check the result from my desktop machine. My regular account on the
desktop machine therefore has a copy of all ssh keys needed to connect.
The BORG_RSH environment variable is used to select the proper key using
ssh options:

   BORG_RSH="ssh -i ~/.ssh/id_rsa_the_key_I_want"

However, this is not the all story for openssh. In fact the "-i" option
just load one key, to be able to propose it to the server during the
initial handshake, but it may also propose all the keys that can come
from an authenticating agent for example, which itself can read every
keys in ~/.ssh. In my case, it happened that the first key proposed was
not id_rsa_the_key_I_want but another key, corresponding to another
host, and this key was of course accepted by "borg serve" because its
public hakf was in borg authorized_keys file! So borg selected another
repository, and triyed to open it with the supplied passphrase. As each
of my repositories have a different passphrase, borg correctly told me
the passphrase was wrong.

In order to solve the issue, I simply added another option to tell
ssh to use *only* the identity supplied with the -i option, so the
environment variable setting ended up as:

   BORG_RSH="ssh -i ~/.ssh/id_rsa_the_key_I_want -o IdentitiesOnly=yes"

I would suggest two things to the development team.

The first one would be to add the "-o IdentitiesOnly=yes" part in the
example for BORG_RSH variable documentation (I read this online
at <https://borgbackup.readthedocs.io/en/stable/usage.html>).

The second one would be to have more debug info when the --debug
option is used. I tried this option both in the "borg list" command
(you have seen earlier that the output was quite small). I also
tried it in the "borg serve" commands in the autohrized_keys file
on server, and there I simply had no additional output at all. At
least adding something like which repository is selected before
it is opened would be nice.

best regards,
Luc

>
> Cheers, Marian
> _______________________________________________
> Borgbackup mailing list
> Borgbackup at python.org
> https://mail.python.org/mailman/listinfo/borgbackup
>

More information about the Borgbackup mailing list