Pre-requisites
- Crashplan account
- FreeNAS-9.1.1-RELEASE-x64 (a752d35)
- Change the user password
- Add pubkey to root account.
- Enable SSH-Daemon, allow TCP forwarding
- Create a new volume, encrypted raidz
NOTA BENE The gui is wrong here. The correct command is linux_load.
linux_load=YES
Per the wiki
[root@freenas] /mnt/zpool# jls
JID IP Address Hostname Path
1 - crashplan_1 /mnt/zpool/jails_2/crashplan_1
[root@freenas] /mnt/zpool# jexec 1 /bin/tcsh
Create a new user
root@crashplan_1:/ # adduser
Username: crashplan
.....
Login group is crashplan. Invite crashplan into other groups? []: wheel
....
Username : crashplan
Password : *****
Full Name :
Uid : 1001
Class :
Groups : crashplan wheel
Home : /home/crashplan
Home Mode :
Shell : /bin/tcsh
Locked : no
At this point, I like to copy my pub key to make things easier on me.
➜ ~ ssh-copy-id crashplan@192.168.1.103
Now, let's create a tunnel. This will redirect localhost 4200 to 4243 on the crashplan jail.
NOTA BENE On a mac, make sure you use 127* not localhost. Localhost causes a redirect loop.
ssh -L 4200:127.0.0.1:4243 crashplan@192.168.1.103 -N -v -v
Set up a ssh tunnel by editing the ui properties file. ui.properties file location
Linux (if installed as root): /usr/local/crashplan/conf/ui.properties
Mac: /Applications/CrashPlan.app/Contents/Resources/Java/conf/ui.properties
Solaris (if installed as root): /opt/sfw/crashplan/conf/ui.properties
Windows: C:\Program Files\CrashPlan\conf\ui.properties
Change the service port to 4200, which we will use to tunnel to the remote connection.
servicePort=4200
ssh -L 4200:127.0.0.1:4243 crashplan@192.168.1.103 -N -v -v
OpenSSH_5.9p1, OpenSSL 0.9.8y 5 Feb 2013
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.1.103 [192.168.1.103] port 22.
debug1: Connection established.
debug1: identity file /Users/bdd/.ssh/id_rsa type 1
debug1: identity file /Users/bdd/.ssh/id_rsa-cert type -1
debug1: identity file /Users/bdd/.ssh/id_dsa type -1
debug1: identity file /Users/bdd/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503
debug1: match: OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 128/256
debug2: bits set: 489/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 47:80:ec:ed:06:a4:ee:1e:88:65:57:29:fc:ab:bd:65
debug1: Host '192.168.1.103' is known and matches the RSA host key.
debug1: Found key in /Users/bdd/.ssh/known_hosts:8
debug2: bits set: 520/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /Users/bdd/.ssh/id_rsa (0x7ffe31410cc0)
debug2: key: /Users/bdd/.ssh/id_dsa (0x0)
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/bdd/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp aa:79:62:66:54:09:ea:7e:9b:53:b4:68:01:b9:28:cc
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.1.103 ([192.168.1.103]:22).
debug1: Local connections to LOCALHOST:4200 forwarded to remote address 127.0.0.1:4243
debug1: Local forwarding listening on ::1 port 4200.
debug2: fd 5 setting O_NONBLOCK
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 4200.
debug2: fd 6 setting O_NONBLOCK
debug1: channel 1: new [port listener]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Connection to port 4200 forwarding to 127.0.0.1 port 4243 requested.
debug2: fd 7 setting TCP_NODELAY
debug1: channel 2: new [direct-tcpip]
debug2: channel 2: open confirm rwindow 2097152 rmax 32768
[root@freenas] ~# jexec crashplan_1 sockstat -4
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
crashplan sshd 4149 5 tcp4 192.168.1.103:22 192.168.1.83:53226
root sshd 4147 5 tcp4 192.168.1.103:22 192.168.1.83:53226
root java 3952 56 tcp4 127.0.0.1:4243 *:*
root java 3952 57 tcp4 *:4242 *:*
root java 3951 56 tcp4 127.0.0.1:4243 *:*
root java 3951 57 tcp4 *:4242 *:*
root java 3950 56 tcp4 127.0.0.1:4243 *:*
root java 3950 57 tcp4 *:4242 *:*
root java 3949 56 tcp4 127.0.0.1:4243 *:*
root java 3949 57 tcp4 *:4242 *:*
root java 3948 56 tcp4 127.0.0.1:4243 *:*
root java 3948 57 tcp4 *:4242 *:*
root java 3947 56 tcp4 127.0.0.1:4243 *:*
root java 3947 57 tcp4 *:4242 *:*
root java 3946 56 tcp4 127.0.0.1:4243 *:*
root java 3946 57 tcp4 *:4242 *:*
root java 3945 56 tcp4 127.0.0.1:4243 *:*
root java 3945 57 tcp4 *:4242 *:*
root java 3944 56 tcp4 127.0.0.1:4243 *:*
root java 3944 57 tcp4 *:4242 *:*
root java 3943 56 tcp4 127.0.0.1:4243 *:*
root java 3943 57 tcp4 *:4242 *:*
root java 3942 56 tcp4 127.0.0.1:4243 *:*
root java 3942 57 tcp4 *:4242 *:*
root java 3941 56 tcp4 127.0.0.1:4243 *:*
root java 3941 57 tcp4 *:4242 *:*
root java 3940 56 tcp4 127.0.0.1:4243 *:*
root java 3940 57 tcp4 *:4242 *:*
root java 3935 56 tcp4 127.0.0.1:4243 *:*
root java 3935 57 tcp4 *:4242 *:*
root java 3934 56 tcp4 127.0.0.1:4243 *:*
root java 3934 57 tcp4 *:4242 *:*
root java 3933 56 tcp4 127.0.0.1:4243 *:*
root java 3933 57 tcp4 *:4242 *:*
root java 3932 56 tcp4 127.0.0.1:4243 *:*
root java 3932 57 tcp4 *:4242 *:*
root java 3931 56 tcp4 127.0.0.1:4243 *:*
root java 3931 57 tcp4 *:4242 *:*
root java 3930 56 tcp4 127.0.0.1:4243 *:*
root java 3930 57 tcp4 *:4242 *:*
root java 3929 56 tcp4 127.0.0.1:4243 *:*
root java 3929 57 tcp4 *:4242 *:*
root java 3928 56 tcp4 127.0.0.1:4243 *:*
root java 3928 57 tcp4 *:4242 *:*
root java 3927 56 tcp4 127.0.0.1:4243 *:*
root java 3927 57 tcp4 *:4242 *:*
root java 3926 56 tcp4 127.0.0.1:4243 *:*
root java 3926 57 tcp4 *:4242 *:*
root java 3797 56 tcp4 127.0.0.1:4243 *:*
root java 3797 57 tcp4 *:4242 *:*
root java 3444 56 tcp4 127.0.0.1:4243 *:*
root java 3444 57 tcp4 *:4242 *:*
root java 3443 56 tcp4 127.0.0.1:4243 *:*
root java 3443 57 tcp4 *:4242 *:*
root java 3442 56 tcp4 127.0.0.1:4243 *:*
root java 3442 57 tcp4 *:4242 *:*
root python2.7 3404 3 tcp4 192.168.1.103:12346 *:*
root java 3399 56 tcp4 127.0.0.1:4243 *:*
root java 3399 57 tcp4 *:4242 *:*
root java 3398 56 tcp4 127.0.0.1:4243 *:*
root java 3398 57 tcp4 *:4242 *:*
root java 3397 56 tcp4 127.0.0.1:4243 *:*
root java 3397 57 tcp4 *:4242 *:*
root java 3396 56 tcp4 127.0.0.1:4243 *:*
root java 3396 57 tcp4 *:4242 *:*
root java 3395 56 tcp4 127.0.0.1:4243 *:*
root java 3395 57 tcp4 *:4242 *:*
root java 3394 56 tcp4 127.0.0.1:4243 *:*
root java 3394 57 tcp4 *:4242 *:*
root java 3393 56 tcp4 127.0.0.1:4243 *:*
root java 3393 57 tcp4 *:4242 *:*
root java 3381 56 tcp4 127.0.0.1:4243 *:*
root java 3381 57 tcp4 *:4242 *:*
root sshd 3213 5 tcp4 *:22 *:*
root java 3179 56 tcp4 127.0.0.1:4243 *:*
root java 3179 57 tcp4 *:4242 *:*
root syslogd 3076 7 udp4 *:514 *:*
? ? ? ? tcp4 192.168.1.103:12346 192.168.1.101:60840
? ? ? ? tcp4 192.168.1.103:12346 192.168.1.101:51273
[root@freenas] ~# kldstat
Id Refs Address Size Name
1 59 0xffffffff80200000 132bb68 kernel
2 1 0xffffffff8152c000 143c50 linux.ko
3 1 0xffffffff81670000 e3c8 xhci.ko
4 1 0xffffffff81812000 156757 zfs.ko
5 14 0xffffffff81969000 55c1 opensolaris.ko
6 1 0xffffffff8196f000 485c geom_stripe.ko
7 1 0xffffffff81974000 10477 geom_raid3.ko
8 1 0xffffffff81985000 efdd geom_raid5.ko
9 1 0xffffffff81994000 581e geom_gate.ko
10 1 0xffffffff8199a000 49d5 geom_multipath.ko
11 1 0xffffffff8199f000 b6b dtraceall.ko
12 1 0xffffffff819a0000 4ee2 profile.ko
13 3 0xffffffff819a5000 4049 cyclic.ko
14 11 0xffffffff819aa000 23da87 dtrace.ko
15 1 0xffffffff81be8000 fb2d systrace_freebsd32.ko
16 1 0xffffffff81bf8000 109cf systrace.ko
17 1 0xffffffff81c09000 459e sdt.ko
18 1 0xffffffff81c0e000 4953 lockstat.ko
19 1 0xffffffff81c13000 be50 fasttrap.ko
20 1 0xffffffff81c1f000 6672 fbt.ko
21 1 0xffffffff81c26000 55bd dtnfscl.ko
22 1 0xffffffff81c2c000 4590 dtmalloc.ko
23 1 0xffffffff81c31000 44e3 dtio.ko
24 1 0xffffffff81c36000 28bff if_cxgbe.ko
Actually, I found elsewhere that you can make crashplan listen on all interfaces rather than localhost. Requires following change on server:
"Using your favorite text editor, edit the following file:
/usr/pbi/crashplan-amd64/share/crashplan/conf/my.service.xml
Within this file, change the from "127.0.0.1" to "0.0.0.0". Save, and then restart the Crashplan service"
No ssh tunneling required to redirect 4243 to 4200. Just change the IP address for the client to direct to your jail and leave the port what it was.