Carbon Copy Cloner offers the option of securely copying your selected data to another Macintosh on your network (or anywhere on the Internet for that matter) via the Remote Macintosh... options in the Source and Destination selectors. After a brief setup procedure to establish trust between your Mac and the destination Mac, simply choose the source or destination volume/folder on the remote Mac and CCC will take care of the rest.
Before setting up CCC to back up to a remote Macintosh, you must:
- Confirm that the remote Macintosh is running a supported OS (OS X 10.7 or later)
- Enable Remote Login in the Sharing Preference Pane on the remote Macintosh
- Verify that any firewalls between the two Macs are permitting "secure shell" traffic over port 22 (or a custom port that you specify).
To enable Remote Login on your remote Macintosh:
- Log in to that machine as an admin user.
- Open the System Preferences application.
- Open the Sharing Preference Pane.
- Check the box next to Remote Login.
- Be sure to allow access to All users, or explicitly add the Administrators group to the list of restricted users and groups.
- Make a note of your remote Mac's hostname. The hostname is indicated underneath the Computer Name text field. In the screenshot below, "Apollo.local" is the hostname of the remote Macintosh.
Configuring a Remote Macintosh source or destination
With the Remote Login service enabled on the remote Mac, the next step is to choose Remote Macintosh... from CCC's Source or Destination selector. CCC will present a browser that lists any hosts on your local network that advertise the Remote Login service. Find and select your remote Mac in this list, then click the Connect button. If you do not see your Mac listed here, type in the hostname of your remote Mac, then click the Connect button. If the remote Mac is not on your local network, you may need to specify the IP address of the public-facing router that your Mac resides behind. Be sure to configure the router to forward port 22 traffic to the IP address that is assigned to the remote Mac.
Once CCC has established a connection to the remote Mac, you will be prompted to install a Mac-specific Public Key Authentication (PKA) key pair onto the remote Mac. You must provide the username and password of an admin user on the remote Mac to permit this, and that admin user must have a non-blank password. Those requirements are only for the initial public key installation. For future authentication requests, CCC will use the PKA key pair.
Note: This step establishes a high level of trust between the local and remote Mac; this is required to correctly preserve system files. The local Mac will have access to all data on the remote Mac, and administrative users on the remote Mac can gain access to the data that you back up to that Mac. Both Macs should be within your administrative control.
Once you have connected to the remote Mac and installed CCC's key on that system, CCC will present a volume browser. Select the volume or folder to use as the source or destination for your task. Note: avoid selecting a volume or folder that contains an apostrophe (').
CCC offers two options that can help you address bandwidth concerns. The option to Compress data passed over the network can greatly reduce your backup time and total bandwidth used. The time savings depend on just how slow the connection is between the two Macs. If you have a connection that is slower than 10MB/s, compression will make the transfer faster. If your bandwidth is better than that, compression may actually slow down your transfer. CCC will not compress certain file types that are already compressed, such as graphics files, movies, and compressed archives. Specifying the option to compress data passed over the network does not create a proprietary or compressed backup; files are automatically decompressed on the destination volume on the remote Macintosh.
CCC also offers a bandwidth limitation option. If your ISP requires that your transfers stay below a certain rate, you can specify that rate here. Note that CCC errs on the conservative side with this rate, so the average transfer rate may be slightly lower than the limitation that you specify.
De-authenticating a remote Macintosh
If you no longer wish to use a particular remote Macintosh, you can click the Deauthenticate... button to remove CCC's PKA key pair from the remote Mac.
At this time, CCC requires the use of the root account (though it does not have to be enabled) on both the source and destination Macs. To successfully back up to a remote Macintosh, you must have administrative privileges on both machines.
CCC also requires that the remote Macintosh be running macOS 10.7 or later. Non-Macintosh systems are not supported with the Remote Macintosh feature.
Note for Yosemite, El Capitan, & Sierra users: If your source contains macOS Yosemite (or later) system files, the Remote Macintosh must be running macOS 10.9.5 or later. If the Remote Macintosh is not running 10.9.5 or later and you attempt to back up macOS Yosemite (or later) system files, the backup task will report numerous "Input/output" ("Media") errors. Filesystem changes introduced on Yosemite cannot be accommodated by older OSes. Apple added support for those filesystem changes in 10.9.5 to offer a modest amount of backwards compatibility.
Carbon Copy Cloner's public key-based authentication is designed to work with no additional configuration of the services required for backing up over a network connection. CCC uses rsync over an ssh tunnel to perform the backup. If you do make modifications to the sshd configuration, you should consider how that may affect your backup. For example, CCC requires use of the root account over ssh. If you set the "PermitRootLogin" key in the sshd_config file to "no", you will not be able to use CCC to or from that machine. It's an important distinction to note that the root account does not have to be enabled, but sshd must permit the use of the root account. The "PubkeyAuthentication" key must also not be set to "no", because Public Key Authentication is required for CCC to authenticate to the remote Mac. CCC will attempt to proactively present these configuration scenarios to you if authentication problems are encountered.
Additionally, the initial Public Key Authentication (PKA) setup requires the use of an admin user on the remote Macintosh. That admin user account must have a non-blank password, and the Remote Login service must permit password-based authentication. These requirements apply only to the initial installation of CCC's PKA credentials. Once CCC has installed these credentials on the remote Mac, CCC will use PKA for authentication to the remote Mac.
Problems connecting to a remote Macintosh generally are caused by configuration problems with the Remote Login service on the remote Macintosh. Try the following if you are having trouble making a backup to a remote Mac:
- Verify that the Remote Login service is enabled in the Sharing preference pane on the Remote Macintosh.
- Verify that access to the Remote Login service is allowed for All users.
- Re-select Remote Macintosh from CCC's Source or Destination selector and verify that authenticaiton to the remote Mac is configured.
- Verify that your firewall and the remote Mac's firewall permits traffic on port 22. If you have an application firewall in place (e.g. Little Snitch), verify that access is granted to CCC's privileged helper tool, "com.bombich.ccchelper".
- If your local Mac and remote Mac are not on the same network (e.g. you're connecting across a VPN or through a router and over the Internet), confirm that a connection can be established between the two Macs. How you do this will vary from one scenario to the next, but you can generally verify connectivity by typing "ssh firstname.lastname@example.org" into the Terminal application (replace 192.168.1.1 with the hostname or IP address of your remote Mac). If you see a request for a password, then connectivity is established. If not, your network configuration isn't permitting the traffic, or the hostname that you're connecting to is invalid or unavailable. If you are accessing a remote Mac that is behind a router, consult the router's port forwarding documentation and verify that port 22 traffic is directed to the internal IP address of the remote Mac.
VPN and port forwarding configuration is outside of the scope of support for CCC, though our support staff will make every effort to identify whether problems are occurring within that configuration or within the service configuration on your remote Mac. If you have worked through the troubleshooting steps above and are still having trouble backing up to a remote Macintosh, please choose Report a problem from CCC's Help menu and submit a support request.
Meraki router intercepts Secure Shell traffic
Some users that have a Meraki router involved in their configuration have reported that its default configuration will interrupt Secure Shell traffic. The firewall rule that causes interference is in place to protect the network from vulnerabilities that are irrelevant between two modern Macs. Nonetheless, the firewall intercepts traffic after initially allowing a connection, which is presented by CCC as a "lost connection" or a failure to authenticate to the remote Mac. The following steps correct the Meraki configuration concern:
- Log into the Meraki as an administrative user and open the "Security report"
- Filter the log for SSH events
- Click the "SSH_EVENT_REPOVERFLOW" event from the list to open it and review the blocked event
- To allow the blocked traffic of this type, click "Yes" to add this event to the whitelist.
Thomson Gateway router intercepts Secure Shell traffic
Similar to the problem described above for Meraki router, the Thomson Gateway router can also cause interference that appears as an authentication failure. Forwarding traffic to a non-standard secure shell port (e.g. 2222, then be sure to specify that port when connecting to the Remote Macintosh in CCC) resolves the problem.
While logged in to your remote Macintosh, you may not have permission to view the contents of your backup in the Finder. Your access to the files will be based on the unique id that is associated with the user account that you're logged in to on the remote Macintosh and the one associated with the account(s) on the other Mac(s) that you're backing up. The first administrator account always gets a uid of "501", and subsequent accounts are assigned incrementally higher uids — 502, 503, etc. For security and privacy purposes, macOS restricts access to the contents of user home directories to the owners of those home directories, and these restrictions are preserved when your data is backed up to a remote Macintosh.
To learn what user id is associated with your account:
- Open System Preferences and click on the User Accounts preference pane.
- Click on the lock and authenticate.
- Control+click on your account in the accounts table and choose "Advanced options".
You will see your User ID in the panel that appears.
This may be annoying from the perspective of trying to access those files on your remote Macintosh, but it is important for CCC to preserve the ownership and permissions information when backing up your data. If/when you want to do a restore, you could do either of the following:
a) Attach the external drive directly to the machine that you want to restore files to — the accounts on those systems will be able to access their backed up files.
b) Do a restore directly within CCC from the original source Macintosh.
If you must have read access to some of this data (e.g. the original Mac is gone, the user account changed, etc.), you can change the ownership of the home folder and its contents in the Finder:
- Choose Get Info from Finder's File menu.
- In the Sharing and Permissions section at the bottom, click on the lock icon to make the permissions editable.
- Click on the + button.
- In the window that appears, select your account, then click the Select button.
- Set the access privileges to Read & Write.
- Click on the Gear menu and choose to apply the change to enclosed items.