[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: utilisateur backup

On Fri, Jul 19, 2002 at 03:58:18PM +0200, Mathias Palm wrote:
> >    - Can I safely give an SSH key to my backup user without any
> >      passphrase so that it could be automated via cron ?
> I'd say, the security is that of your original account then. Say there
> are the computers A and B, where A:backup has got access to B:backup by 
> a phraseless ssh-key. You can log on to account A:backup and ssh to
> B:backup because of the phraseless key, therefor the maximum of the
> security you can achive is the security of account A:backup. 

Uhh, no.  You need to read the docs for sshd.  See, in particular, the
             Specifies that the command is executed whenever this key is used
             for authentication.  The command supplied by the user (if any) is
             ignored.  The command is run on a pty if the client requests a
             pty; otherwise it is run without a tty.  If a 8-bit clean channel
             is required, one must not request a pty or should specify no-pty.
             A quote may be included in the command by quoting it with a back­
             slash.  This option might be useful to restrict certain RSA keys
             to perform just a specific operation.  An example might be a key
             that permits remote backups but nothing else.  Note that the
             client may specify TCP/IP and/or X11 forwarding unless they are
             explicitly prohibited.  Note that this option applies to shell,
             command or subsystem execution.

So the worst that can happen if the key gets compromised is that the
attacker can trigger a backup of your system.  Conceivably this could be
a DoS, at worst.  But it's a very common setup.  In fact, the standard
method of mirroring Debian involves exactly this type of configuration.

> >    - Is amanda appropriate for this task and would it be more secure
> >      to use it instead ?
> I am using it to backup a bunch of maschines on one tape also using
> cron. I found it easy to configure and am quite satisfied. You can even
> configure Amanda in a way that it only transfers changes. On the other
> hand, Amanda is meant to dump backups on tapes. I cant tell you if there
> is an easy way to reconfigure it.

Amanda has no security.  It does not encrypt any of the data going out
over the network.  I doesn't support strong host authentication.  It
can't be tunnelled over ssh.  Tunnelling rdump over ssh is way more
secure than amanda.  Running amanda over an IPsec link is a good
approach, and what I use to backup most of my servers.

> Amanda provides some sort of restricted host access. But I cant tell, if
> it would retain a determined attacker.

It supports .amandahosts.  It's similar to .rhosts.  It can also do
kerberos, but most people don't have a kerberos infrastructure.


| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

Attachment: pgpqXL7_8e6hY.pgp
Description: PGP signature

Reply to: