After my guide on setting up Rdiff-Backup to PULL backups from another server, I setup Two-factor SSH and Virtualmin Authentication via Google-Authenticator – having set this up I did not want to allow Public Key login to my server. So I had to move over to PUSH backups

To Setup Rdiff-Backup to push a server backup to the backup server follow this guide: 

1. Lets start with installing rdiff-backup on the backup server and then host-server (server to be backed up to the backup server) – make sure you get the same version installed on both servers:

yum install rdiff-backup

2. On the backup server, create a new account (Using Webmin) which will be used to perform the backup:



Real name:





No Login Allowed


3. Create a passphrase-free ssh key on host server  that will be placed on the backup server  so that the host server  can log in to the backup server and write the files to the backup location automatically: (This is the other way around from what we do on the PULL backup setup)

So on the host server:

Change to a user you would like to create the Public key for, this could be root or another user.

su -m rdiff-backup
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/rdiff-backup/.ssh/id_rsa): /backup/.ssh/id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /backup/.ssh/id_rsa.
Your public key has been saved in /backup/.ssh/
The key fingerprint is: e0:fc:4a:8a:51:a8:c7:3a:e4:3a:3c:22:f9:4e:35:ca rdiff-backup@example

 Your key fingerprint will almost certainly differ from the example here.

For the root user, Create an ssh config alias which defines how the host server to contact the backup server with the public key. Place the following into /root/.ssh/config: this has to be the root user, as we need to run the backup as the root user to be able to access 

vim /root/.ssh/config

Paste this into the file and insert your settings where needed:

host example_backup
port xx
user rdiff-backup
identityfile /home/rdiff-backup/.ssh/id_rsa
compression yes
protocol 2

## host = your name for the host server

## hostname = the hostname or IP of the host server

## port = your SSH port

## user = the user on the backup server that you will backup to

## identityfile = the public key you generated in the previous step

 Note that “compression yes” is optional, and you may wish to omit it the servers are connected over high-speed nets. 

This config entry enables the host server to use the “hostname” example-backup wherever ssh expects a real hostname. ssh will use the information specified in the config file, which will result in a  automatic connection to the backup server, using the specified key

You may need to make some file permission adjustments, it depends on your system:

chmod -R go-rwx /root/.ssh


4. Give permission for the  host server to access the backup server and store the backup:

You need the public portion of the key you just generated on the  host server :

cat /home/rdiff-backup/.ssh/

You should see a really long key that starts with something like this – with being your host servers hostname.

ssh-rsa AAAAB3NzaC1yc2EAAAAB[...] [email protected]


Assuming that rdiff-backup@backup server`s home directory is /home/rdiff-backup, we will construct a terribly long line in the file /home/rdiff-backup/.ssh/authorized_keys2 (on the backup server). The line is so long that I’m going to break it in two here for demonstration purposes only, you must join this first line and the public key from above on one line, with only a space between them:


Now on the backup server:

vim /home/rdiff-backup/.ssh/authorized_keys2

We will no paste the really long line in there – but we are splitting in up into two to make it easier to do-

so the firs part is the command that is allowed – with being ether your host servers hostname or IP

rdiff-backup --server",from="",no-port-forwarding,no-X11-forwarding,no-pty

now place a space after the no-pty

then the second part is the long ssh-rsa we got from – cat /home/rdiff-backup/.ssh/ in the previous step

ssh-rsa AAAAB3NzaC1yc2EAAAAB[...] [email protected]

so your final line should look something like this:

command="rdiff-backup --server --restrict-read-only /",from="",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQBFRCWgRVs0BhZ2FPxUgRsuWgSSLV7dD+7Db8uV5PRZxAUWWmO8Wbqh0C1daMT86D3BbBwtbC9Clxr7XgalHoL8v65qgl0TZBecGdFWC4Zt+s2YmkUmVcPv/idfnRCHgIhoUKsadsadzzHWef6p7MMCfCp/z7/34357fiwbQ0RCcWnQMORO/dgMJ5LSsXKCOPzsbTt1/i8NulTUNCjlVb4LsCGFX1wscRbXNT4Y6fKMURK0y3kvZ7s888+6utjPnLjVeR7FNL3NtAZyhvbZe6mDFf9G6Usef+4bCgpNBG2Ff2JPbpv0KW+S/Q2jIPhmhJFXs7IYwhPRSoJNUefjdBpvF7xRs/w== [email protected]

This entry in /home/rdiff-backup/.ssh/authorized_keys2 permits anyone with the specified key (i.e. [email protected] ( = host servers hostname) to connect with ssh from the host named (host servers hostname or IP)  and issue the forced rdiff-backup command. It further restricts the ssh connection to eliminate port forwarding, X11 forwarding and a pty.

If you have any troubles, this step is the one which has most likely caused you problems. Here are some troubleshooting guidelines:

  • Make sure there are no line breaks in the authorized_keys2 entry.
  • Use the reverse DNS response for host servers address in from="backup server".
  • Make sure you copied the public key properly.
  • Ensure file permissions are set properly:

    To set the permissions run this command on the host server

    chmod -R go-rwx /home/rdiff-backup/.ssh
  • Make sure rdiff-backup is in root’s PATH, or add a full path to command="/path/to/rdiff-backup...".
  • Look in /var/log for help.


5. Perform a test backup and populate known_hosts.

You should now be able to perform a test backup. During this test ssh will probably ask you to accept the backup servers host key — you will need to complete this step before you can begin an unattended backup.

On the host server as the root user:

rdiff-backup--print-statistics  /tmp example_backup::/home/rdiff-backup/test/

If you are asked for a password or passphrase then something is wrong. Other than asking you to verify the host key it should succeed in performing a backup of /tmp to example_backup::/home/rdiff-backup/test/

Assuming the first attempt asked you to verify the host key, run the test a second time to verify that it asks you nothing.


6. To include and exclude files and folders in the backup process.

We will create a file list that can both include and exclude files and folders on the host server to be backed up to the backup server. Its best to place this file in a folder in the rdiff-backup users home directory.

On the host server:

Create a file called filelist.txt

vim /home/rdiff-backup/filelist.txt

##To exclude files/folders we have to place a “-” in front of the file/folder.

##To include files/folders we simply place the file/folders name in the list.

## For more examples see :

So lets place something like this into to file:

- /tmp
- /mnt
- /proc
- /var/tmp
- /var/cache
- /home/rdiff-backup
- /home/vdomains

## I exclude some of the normal directories but also the directory where other server backups are stored on the host server (/home/rdiff-backup) as as well as the home of my Virtualmin Domains, as I back this up using the Virtualmin backup feature as to also backup the Databases!

7. Create a cron job on the host server  to initiate your backup – use webmin.

Execute as: 



rdiff-backup --include-globbing-filelist /home/rdiff-backup/config/filelist.txt / example_backup::/home/rdiff-backup/


Pick a time – once a day or week or what ever you want!

How to: CentOS Virtualmin Automated Remote Back-ups with rdiff-backup – PUSH
Tagged on:                                                 

Leave a Reply

Your email address will not be published. Required fields are marked *

One thought on “How to: CentOS Virtualmin Automated Remote Back-ups with rdiff-backup – PUSH