Re: Backups between servers
Thanks, I finally got around to doing this. Works very nice and I
feel much more secure. One caveat to anyone else trying this; in
authorized _keys, the space after the comma separating the optional
command parameter and the actual key is required!
Again, thanks for all the help. Works very nicely.
Rod
> On Tue, Feb 08, 2005 at 08:57:18PM -0600, Rod Rodolico wrote:
>> I have three web servers and would like them to back each other
>> up.
>> They host around 60 sites and a couple of hundred e-mail accounts.
>> They are on the same subnet.
>>
>> In the past I have allowed root on one machine to ssh into the
>> others as "authorized keys" so I could run rsync as a cron job. It
>> works, but I'm worried about security. If the "master" machine is
>> ever cracked, it gives a good loophole into the others.
>>
>> Any suggestions? Is there a way to authorize a machine to only
>> execute a limited set of commands on another (ie, rsync).
>
> Take a look at:
> http://lts2www.epfl.ch/~jost/rsync.html
>
> In short - you can setup ssh to allow running only rsync:
> Add to your /root/.ssh/authorized_keys something like that (or
> better - have
> only such lines in this file):
>
> command="/root/bin/validate_rsync", ssh-dss PUBLIC_KEY
> localuser@localhost
>
> Where validate_rsync is like:
> #!/bin/sh
>
> case "$SSH_ORIGINAL_COMMAND" in
> *\&*)
> echo "Rejected"
> ;;
> *\;*)
> echo "Rejected"
> ;;
> rsync\ --server\ -vlogDtprz\ --delete\ .\ /backup_directory*)
> $SSH_ORIGINAL_COMMAND
> ;;
> *)
> echo "Rejected"
> ;;
> esac
>
> Regards,
> Robert Tasarz
>
>
> --
> To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
--
Meddle not in the Affairs of Dragons
for thou art crunchy, and good with catsup.
Reply to: