Problem with SCP access with non-root user

[eisvleo]

Hello, I have been a PBS user for a few days now, and first of all, I would like to thank everyone at Proxmox for their work.

My problem is that, in addition to using PBS to back up VMs and CTs, I would also like to use it to copy certain folders from non-virtual machines using the scp command.

The thing is, if I use the root user, I don't have any problems, but I find that quite problematic and would like to use a user with fewer rights for this purpose. To do this, I have created a “DataStoreAdmin” type user, who has access to the path where I would have to save the folder, but when I use scp with that user, I get this error:

scp -r [/local/path/] [DataStoreAdmin_user]@[server IP]:[/pbs/datastore/path]

[DataStoreAdmin_user]@[server IP]'s password:

Permission denied, please try again.

Obviously, the password I enter is correct. It occurs to me that maybe this user should belong to some special group to use scp? Perhaps the problem is something else.

Greetings to all and thanks in advance!

 

[Chris]

Hello, I have been a PBS user for a few days now, and first of all, I would like to thank everyone at Proxmox for their work.

My problem is that, in addition to using PBS to back up VMs and CTs, I would also like to use it to copy certain folders from non-virtual machines using the scp command.

You can use the proxmox-backup-client to create host level backups [0], using SCP or any other tool to copy your files is completely orthogonal to that.

The thing is, if I use the root user, I don't have any problems, but I find that quite problematic and would like to use a user with fewer rights for this purpose. To do this, I have created a “DataStoreAdmin” type user, who has access to the path where I would have to save the folder, but when I use scp with that user, I get this error:

The users authenticated by PBS realm and assigned roles/permissions only apply to the PBS CLI tools and API, they have no effect on other unix tools using e.g. pam authentication as your scp will most likely use. You will have to crate a unix user independent from PBS.

scp -r [/local/path/] [DataStoreAdmin_user]@[server IP]:[/pbs/datastore/path]

This should be avoided at all costs! You should never place other file contents in a datastores base path or one of the sub-paths. Use a different, custom path for copying data to your host.

[DataStoreAdmin_user]@[server IP]'s password:

Did you create the unix user and set a password for it? Further, you must assure that the user can access the target location by setting the unix permissions for the target folder and the parent folders.

Permission denied, please try again.

Obviously, the password I enter is correct. It occurs to me that maybe this user should belong to some special group to use scp? Perhaps the problem is something else.

[0] https://pbs.proxmox.com/docs/backup-client.html#creating-backups

 

[eisvleo]

Thanks a lot. The "DataStoreAdmin_user" was created on pbs, is not a pam user, created on the Linux behind.
I didn't know proxmox-backup-client. I will try it and use it out of datastore disk. Cheers!

 

[eisvleo]

From what I can see, it only supports Debian. I'll see if I can install it on other distros like Ubuntu and Arch. I guess Windows is out of the question, right? (That's really where I would use it most to prevent disasters caused by incautious users.)

EDIT: I have managed to install the client on Ubuntu 24.04 and upload a backup copy of my Thunderbird folder to PBS using the client. Now I need to figure out how to use a user other than root, without having to enter a password, and create a script.

 

[Bu66as]

Hello @eisvleo,

For scripting without a password prompt, you should use API tokens. Create a new user in PBS with the necessary permissions on the datastore (e.g., the DatastoreBackup role) and generate an API token for it. You can then define the repository and the token in your script via environment variables, and the client will use them automatically. The variable for the token is PBS_TOKEN.