Carbon Copy Cloner offers the option of securely copying your selected data to another Macintosh on your network (or anywhere on the Internet for that matter) via the "Remote Macintosh..." options in the Source and Destination selectors. After a brief setup procedure to establish trust between your Mac and the destination Mac, simply indicate the IP address or hostname of the remote Mac and CCC will take care of the rest.
Note: Backing up to a remote Macintosh is not the same as backing up to a network filesystem. If you don't require a bootable backup and you are only backing up files for which you are the owner, it will be easier to enable file sharing on the remote machine and back up to a disk image on the mounted sharepoint.
To successfully set up CCC to back up to a remote Macintosh, you must:
- Confirm that the remote Macintosh is running a supported OS
- Enable Remote Login on the remote Macintosh.
- Determine the Unix path to the folder on that machine that you would like to back up to.
- Create an "Authentication Credentials" package on your local machine (CCC will place this package on your Desktop).
- Transfer the "Authentication Credentials" package to your remote Macintosh and install it there.
- Verify that the system time on each Macintosh is reasonably in sync with the other.
- Confirm that the backup device on the remote Macintosh is ready and mounted (CCC does not currently perform this verification).
- Manually disable the "Ignore ownership on this volume" setting in the destination volume's Get Info window in the Finder.
- Verify that any firewalls between the two Macs are permitting "secure shell" traffic over port 22 (or a custom port that you specify).
Configuring CCC to back up to a remote Macintosh is an advanced configuration scenario. If you are unsure of any of these settings, please seek advice at the Bombich Software Help Desk before proceeding.
Enabling Remote Login on the remote Macintosh
To enable Remote Login on your remote Macintosh:
- Log in to that machine as an admin user.
- Open the System Preferences application.
- Open the Sharing Preference Pane.
- Check the box next to "Remote Login".
- Be sure to allow access to "All users", or explicitly add the "Administrators" group to the list of restricted users and groups.
Determining the "Remote Macintosh hostname or IP address"
To determine the value to enter into this field:
- Log in to the remote Macintosh as an admin user.
- Open the System Preferences application.
- Open the Sharing Preference Pane.
- Click on the Remote Login service in the list of services.
- In the settings area on the right, you will see a message to the effect of "To log in to this computer remotely, type "ssh username@yourhost.yourdomain.com" at a shell command prompt." The text after the "@" symbol is the hostname or IP address that you will provide in the "Remote Macintosh hostname or IP address" text field.
If you have customized the Remote Login service on the remote Macintosh to use a custom port, specify that port in the "Custom Port" text field. The default port is 22.
Determining the "Path to source/backup directory"
To produce a backup that your source Macintosh can boot from, we recommend that you dedicate a volume to the backup task. The backup volume can be an internal or external volume, though an external volume will be most convenient in a disaster recovery scenario. Be sure to prepare the volume for use with CCC per the instructions in the article titled Preparing a hard drive for use with Carbon Copy Cloner. When you have identified a volume to use on the remote Macintosh for backup, do the following to determine the value to enter in the "Path to backup directory" text field:
- Log in to the remote Macintosh as an admin user.
- Open the Disk Utility application.
- Click on the backup volume in the list of devices on the left side of the window.
- Locate the "Mount point" value at the bottom of the window — this is the value that you will enter into the "Path to backup directory" field in CCC's Remote Macintosh dialog window on the source machine. The format of this value is typically "/Volumes/Backup Disk".
If you do not intend to create a bootable backup, you may also create a folder on the remote Macintosh that can be used for the backup task:
- Log in to the remote Macintosh as an admin user.
- Create a folder in your desired location.
- In the Finder, click on the destination folder that you created.
- From the Finder's "File" menu, choose "Get Info".
- In the "General" section of the Get Info panel, the "Where" attribute indicates where that folder is located. The path to your backup directory will consist of that location, plus "/", plus the name of your destination directory. For example, if you created a folder named "Backups" in the /Users/Shared folder on your remote Macintosh, the Get Info panel would indicate that it is located at "/Users/Shared", therefore the path to the backup directory is "/Users/Shared/Backups".
Bandwidth management options
CCC offers two options that can help you address bandwidth concerns. The option to "Compress data passed over the network" can greatly reduce your backup time and total bandwidth used. The time savings depends on just how slow the connection is between the two Macs. If you have a connection that is slower than 10MB/s, compression will make the transfer faster. If your bandwidth is better than that, compression will actually slow down your transfer. CCC will not compress certain file types that are already compressed, such as graphics files, movies, and compressed archives. Specifying the option to compress data passed over the network does not create a proprietary or compressed backup; files are automatically decompressed on the destination volume on the remote Macintosh.
CCC also offers a bandwidth limitation option. If your ISP requires that your transfers stay below a certain rate, you can specify that rate here. Note that CCC errs on the conservative side with this rate, so the average transfer rate may be slightly lower than the limitation that you specify.
The "Authentication Credentials" package installer
Before you can back up to a remote Macintosh, you must first set up "public key authentication" (PKA) between the Macintosh that you're running Carbon Copy Cloner on and the Macintosh that you'd like to back up to. With PKA, you don't need to provide a username/password to access the remote Macintosh. Instead, CCC uses pre-shared, 1024-bit DSA key pairs to identify the source and destination Macs.
To create the Authentication Credentials installer package:
- Choose "Remote Macintosh..." from the Source or Destination selector
- Click on the button to "Create Authentication Credentials package"
When you click on the button to create an Authentication Credentials package, CCC will generate this key pair, create a package installer, then install the package onto your local Macintosh. When this procedure is complete, transfer the package to your remote Macintosh and install it there as well by double-clicking on the package. If you use FTP or a non-HFS+ formatted volume to transfer the package to the remote Mac, right-click on the Authentication Credentials package and choose the option to compress the package first. FTP and non-HFS+ formatted volumes will strip important information from the Authentication Credentials package and render it unusable on the remote Mac.
Note that you are NOT required to enable the root account on either Mac. This is avoided by using public key authentication instead of password-based authentication.
“Authentication Credentials can’t be installed on this disk. A Newer version of this software already exists on this disk.”
The Authentication Credentials installer package is explicitly configured to allow upgrades (e.g. installing multiple copies of the package from different Macs), but sometimes the Installer application will errantly disallow it. These steps will allow the installation of the package on the remote Mac when this error is presented:
- Choose "Go to folder" from the Finder's Go menu
- Type "/var/db/receipts" and click the Go button
- Find the files that start with "com.bombich.ccc.tgt_keys.authenticationCredentials" and drag them to the Trash
- Try installing the package installer again
Remote Macintosh prerequisites
At this time, CCC requires the use of the root account (though it does not have to be enabled) on both the source and destination Macs. To successfully back up to a remote Macintosh, you must have administrative privileges on both machines.
CCC also requires that the remote Macintosh be running macOS 10.8 or later. Non-Macintosh systems are not supported with the "Remote Macintosh" feature.
Note for Yosemite, El Capitan, & Sierra users: If your source contains macOS Yosemite (or later) system files, the Remote Macintosh must be running macOS 10.9.5 or later. If the Remote Macintosh is not running 10.9.5 or later and you attempt to back up macOS Yosemite (or later) system files, the backup task will report numerous "Input/output" ("Media") errors. Filesystem changes introduced on Yosemite cannot be accommodated by older OSes. Apple added support for those filesystem changes in 10.9.5 to offer a modest amount of backwards compatibility.
Additional pointers for advanced users
Carbon Copy Cloner's public key-based authentication is designed to work with no additional configuration of the services required for backing up over a network connection. CCC uses rsync over an ssh tunnel to perform the backup. If you do make modifications to the sshd configuration, consider how that may affect your backup. For example, CCC requires use of the root account over ssh. If you set the "PermitRootLogin" key in the sshd_config file to "no", you will not be able to use CCC to or from that machine. It's an important distinction to note that the root account does not have to be enabled, but sshd must permit the use of the root account. The "PubkeyAuthentication" key must also not be set to "no", because Public Key Authentication is required for CCC to authenticate to the remote Mac.
Troubleshooting connectivity problems to a remote Macintosh
Problems connecting to a remote Macintosh generally are caused by configuration problems with the Remote Login service on the remote Macintosh. Try the following if you are having trouble making a backup to a remote Mac:
- Verify that the Remote Login service is enabled in the Sharing preference pane on the Remote Macintosh.
- Verify that access to the Remote Login service is allowed for "All users".
- Confirm that you have created an "Authentication Credentials Installer Package" on the local Mac, then transferred it to the remote Mac and installed it there.
- Verify that your firewall and the remote Mac's firewall permits traffic on port 22. If you have an application firewall in place (e.g. Little Snitch), verify that access is granted to CCC's privileged helper tool, "com.bombich.ccchelper".
- If your local Mac and remote Mac are not on the same network (e.g. you're connecting across a VPN or through a router and over the Internet), confirm that a connection can be established between the two Macs. How you do this will vary from one scenario to the next, but you can generally verify connectivity by typing "ssh root@192.168.1.1" into the Terminal application (replace 192.168.1.1 with the hostname or IP address of your remote Mac). If you see a request for a password, then connectivity is established. If not, your network configuration isn't permitting the traffic or the hostname that you're connecting to is invalid or unavailable. If you are accessing a remote Mac that is behind a router, consult the router's port forwarding documentation and verify that port 22 traffic is directed to the internal IP address of the remote Mac.
VPN and port forwarding configuration is outside of the scope of support for CCC, though our support staff will make every effort to identify whether problems occur within that configuration or within the service configuration on your remote Mac. If you have worked through the troubleshooting steps above and are still having trouble backing up to a remote Macintosh, please choose "Report a problem" from CCC's Help menu and submit a support request.
After submitting the support request, there's one more thing you can do to collect some information about the connectivity problem between the two Macs:
- Copy Remote Authentication Debugger to both Macs
- Open the Remote Authentication Debugger application on the remote Mac (this will temporarily place the Remote Login service on the remote Mac into debugging mode).
- Open the Remote Authentication Debugger application on the local Mac and enter the remote host information for the Remote Mac when prompted.
- The Remote Authentication Debugger application will attempt to connect to the remote Mac using the CCC authentication keys. The debug information will then be collected into reports on the Desktop of both Macs. Please attach those two reports to the automatic email reply that you received when you submitted a support request to our Help Desk.
Meraki router intercepts Secure Shell traffic
Some users that have a Meraki router involved in their configuration have reported that its default configuration will interrupt Secure Shell traffic. The firewall rule that causes interference is in place to protect the network from vulnerabilities that are irrelevant between two modern Macs. Nonetheless, the firewall intercepts traffic after initially allowing a connection, which is presented by CCC as a "lost connection" or a failure to authenticate to the remote Mac. The following steps correct the Meraki configuration concern:
- Log into the Meraki as an administrative user and open the "Security report"
- Filter the log for SSH events
- Click the "SSH_EVENT_REPOVERFLOW" event from the list to open it and review the blocked event
- To allow the blocked traffic of this type, click "Yes" to add this event to the whitelist.
macOS Sierra requires newer authentication credentials
OpenSSH in macOS Sierra requires RSA key pairs when using public key authentication. In the past, CCC created DSA key pairs. When you upgrade your local or remote Macintosh to Sierra, authentication will fail. To correct this problem, simply recreate the Authentication Credentials Installer Package and reinstall it on the remote Macintosh:
- Open CCC and select your backup task
- Select Remote Macintosh from the source or destination selector (whichever is applicable to your backup task)
- Click the Create Authentication Credentials button
- When CCC has completed creating the installer, copy the installer package from your Desktop to the remote Mac and install it there
- Run your backup task again
A note about access privileges to backed up data
While logged in to your remote Macintosh, you may not have permission to view the contents of your backup in the Finder. Your access to the files will be based on the unique id that is associated with the user account that you're logged in to on the remote Macintosh and the one associated with the account(s) on the other Mac(s) that you're backing up. The first administrator account always gets a uid of "501", and subsequent accounts are assigned incrementally higher uids — 502, 503, etc. For security and privacy purposes, macOS restricts access to the contents of user home directories to the owners of those home directories, and these restrictions are preserved when your data is backed up to a remote Macintosh.
To learn what user id is associated with your account:
- Open System Preferences and click on the User Accounts preference pane.
- Click on the lock and authenticate.
- Control+click on your account in the accounts table and choose "Advanced options".
You will see your User ID in the panel that appears.
This may be annoying from the perspective of trying to access those files on your remote Macintosh, but it is important for CCC to preserve the ownership and permissions information when backing up your data. If/when you want to do a restore, you could do either of the following:
a) Attach the external drive directly to the machine that you want to restore files to — the accounts on those systems will be able to access their backed up files.
b) Do a restore directly within CCC from the original source Macintosh.
If you must have read access to some of this data (e.g. the original Mac is gone, the user account changed, etc.), you can change the ownership of the home folder and its contents in the Finder:
- Choose "Get Info" from Finder's File menu.
- In the "Sharing and Permissions" section at the bottom, click on the lock icon to make the permissions editable.
- Click on the "+" button.
- In the window that appears, select your account, then click the Select button.
- Set the access privileges to "Read & Write".
- Click on the Gear menu and choose to apply the change to enclosed items.