[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: utilisateur backup

Boris Daix <Boris.Daix@insa-lyon.fr> wrote:

>    - Can I safely give an SSH key to my backup user without any
>      passphrase so that it could be automated via cron ?

You can use `ssh-keygen -f single_action_key' to create a key for remote execution of scripts.

On the remote end, add this key to the `.ssh/authorized_keys' file.  You should add a forced command so that only one command may be executed with that key.

For rsync(1), you need to capture the exact switches of the rsync server
command.  To do this, you can use this script on the destination server:

open CAPTURE, ">$ENV{HOME}/capture.log";
print CAPTURE "@ARGV\n";
close CAPTURE;

Then add --rsync-path=/path/to/script to your rsync command line.  This
will leave something similar to the following in the destination

--server -vlgtpr --partial . yourhost

So, you would use an authorized_keys entry like this (all one line):

command="rsync --server -vlogDtpr --partial . yourhost",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,1024 35 23...2334 Server backup key

For more complete security, you could add a `chroot' jail to the above

>    - Is amanda appropriate for this task and would it be more secure
>      to use it instead ?
>    - If it is unsecure, how would I do such backups without having to
>      enter passpgrase/passwd ?

System backups are always an easy entry point, very often they contain
things like secret keys to encryption, etc that will allow a malicious
user to pretend to be the machine that they have access to the backups of.
 Protect your backups carefully!
   Sam Vilain, sam@vilain.net     WWW: http://sam.vilain.net/
    7D74 2A09 B2D3 C30F F78E      GPG: http://sam.vilain.net/sam.asc
    278A A425 30A9 05B5 2F13

Real Programmers don't write in Fortran.  Fortran is for wimp       
engineers who wear white socks.  They get excited over finite state
analysis and nuclear reactor simulation.

To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: