Re: Backups between servers

To: debian-isp@lists.debian.org
Subject: Re: Backups between servers
From: Robert Tasarz <robert.tasarz@greentech.pl>
Date: Wed, 9 Feb 2005 09:25:04 +0100
Message-id: <[🔎] 20050209082504.GA4913@mentat.greentech.pl>
In-reply-to: <[🔎] 52032.68.93.109.36.1107917838.squirrel@client.dailydata.net>
References: <[🔎] 52032.68.93.109.36.1107917838.squirrel@client.dailydata.net>

On Tue, Feb 08, 2005 at 08:57:18PM -0600, Rod Rodolico wrote:
> I have three web servers and would like them to back each other up.
> They host around 60 sites and a couple of hundred e-mail accounts.
> They are on the same subnet.
> 
> In the past I have allowed root on one machine to ssh into the
> others as "authorized keys" so I could run rsync as a cron job. It
> works, but I'm worried about security. If the "master" machine is
> ever cracked, it gives a good loophole into the others.
> 
> Any suggestions? Is there a way to authorize a machine to only
> execute a limited set of commands on another (ie, rsync).

Take a look at:
http://lts2www.epfl.ch/~jost/rsync.html

In short - you can setup ssh to allow running only rsync:
Add to your /root/.ssh/authorized_keys something like that (or better - have
only such lines in this file):

command="/root/bin/validate_rsync", ssh-dss PUBLIC_KEY localuser@localhost

Where validate_rsync is like:
#!/bin/sh

case "$SSH_ORIGINAL_COMMAND" in
*\&*)
echo "Rejected"
;;
*\;*)
echo "Rejected"
;;
rsync\ --server\ -vlogDtprz\ --delete\ .\ /backup_directory*)
$SSH_ORIGINAL_COMMAND
;;
*)
echo "Rejected"
;;
esac

Regards,
  Robert Tasarz

Reply to:

Follow-Ups:
- Re: Backups between servers
  - From: "Rod Rodolico" <stargazer@rodolico.org>

References:
- Backups between servers
  - From: "Rod Rodolico" <stargazer@rodolico.org>

Prev by Date: Re: Backups between servers
Next by Date: Re: Backups between servers
Previous by thread: Re: Backups between servers
Next by thread: Re: Backups between servers
Index(es):
- Date
- Thread