Re: utilisateur backup
Boris Daix <Boris.Daix@insa-lyon.fr> wrote:
> - Can I safely give an SSH key to my backup user without any
> passphrase so that it could be automated via cron ?
You can use `ssh-keygen -f single_action_key' to create a key for remote execution of scripts.
On the remote end, add this key to the `.ssh/authorized_keys' file. You should add a forced command so that only one command may be executed with that key.
For rsync(1), you need to capture the exact switches of the rsync server
command. To do this, you can use this script on the destination server:
#!/usr/bin/perl
open CAPTURE, ">$ENV{HOME}/capture.log";
print CAPTURE "@ARGV\n";
close CAPTURE;
Then add --rsync-path=/path/to/script to your rsync command line. This
will leave something similar to the following in the destination
~/capture.log:
--server -vlgtpr --partial . yourhost
So, you would use an authorized_keys entry like this (all one line):
command="rsync --server -vlogDtpr --partial . yourhost",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,1024 35 23...2334 Server backup key
For more complete security, you could add a `chroot' jail to the above
command.
> - Is amanda appropriate for this task and would it be more secure
> to use it instead ?
> - If it is unsecure, how would I do such backups without having to
> enter passpgrase/passwd ?
System backups are always an easy entry point, very often they contain
things like secret keys to encryption, etc that will allow a malicious
user to pretend to be the machine that they have access to the backups of.
Protect your backups carefully!
--
Sam Vilain, sam@vilain.net WWW: http://sam.vilain.net/
7D74 2A09 B2D3 C30F F78E GPG: http://sam.vilain.net/sam.asc
278A A425 30A9 05B5 2F13
Real Programmers don't write in Fortran. Fortran is for wimp
engineers who wear white socks. They get excited over finite state
analysis and nuclear reactor simulation.
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: