How to set up Ubuntu backup user with no login shell for ssh?

Question

I am setting up Amanda to backup a small network of Ubuntu 16.04 servers and desktops. Let's say U1 is the backup server and U2 is a client. Each has an account named "backup" without a login shell or password (created by default in Ubuntu). I want backup@U1 to SSH to backup@U2 using keys, not passwords. From what I understand, it is more secure if backup does not have a login or password, but can only be accessed by ssh keys.

I have generated the SSH keys and copied U1's public key to U2's backup home directory /var/backups/.ssh/authorized_keys (with backup as owner). I have also copied the U2's host key to U1 /var/backups/.ssh/known_hosts. When I try to ssh from U1 to U2

sudo -u backup ssh -i /etc/amanda/MyConfig/ssh-key U2.example.com

I get

This account is currently not available.

I can ssh from my account on U1 to another account on U2, so I know ssh is working between the two machines. From the message, I am guessing that the lack of a password/login on the backup account is the problem. How can I set this up securely so that Amanda can ssh to the clients to backup the network?

Answer 1

Create a user, lock the account, add SSH keys and you are done. If you lock the account’s password, the SSH keys will still work.

You need to at least have a username on the remote system’s to allow login. But that does not mean that user should have password access. So if you want to do this, let’s assume your backup username is backup; note this is a bad username since it is so common so come up with some 8 letter combo that works for you. Anyway, create the user like this:

sudo adduser backup

Okay, now just go trough the usual pile of questions you get when running adduser including setting a password.

Then when that user is created, just do this to lock the account:

sudo passwd -l backup

Now if you setup the SSH keys under that user’s account, you will be able to login via SSH but not via password login.