[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: utilisateur backup

Sam Vilain <sam@vilain.net> writes:

> Boris Daix <Boris.Daix@insa-lyon.fr> wrote:
>>    - Can I safely give an SSH key to my backup user without any
>>      passphrase so that it could be automated via cron ?
> You can use `ssh-keygen -f single_action_key' to create a key for remote execution of scripts.
> On the remote end, add this key to the `.ssh/authorized_keys' file.  You should add a forced command so that only one command may be executed with that key.

Good, really interesting !

> For rsync(1), you need to capture the exact switches of the rsync server
> command. 

But I use rsync like a remote copy tool (scp), so do I need this ? If
so, I need tips to better understand what follows... :-)

> To do this, you can use this script on the destination server:
> #!/usr/bin/perl
> open CAPTURE, ">$ENV{HOME}/capture.log";
> print CAPTURE "@ARGV\n";
> close CAPTURE;
> Then add --rsync-path=/path/to/script to your rsync command line.  This
> will leave something similar to the following in the destination
> ~/capture.log:
> --server -vlgtpr --partial . yourhost
> So, you would use an authorized_keys entry like this (all one line):
> command="rsync --server -vlogDtpr --partial . yourhost",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,1024 35 23...2334 Server backup key
> For more complete security, you could add a `chroot' jail to the above
> command.

Are jails useful with rsync used like scp ?

>>    - Is amanda appropriate for this task and would it be more secure
>>      to use it instead ?
>>    - If it is unsecure, how would I do such backups without having to
>>      enter passpgrase/passwd ?
> System backups are always an easy entry point, very often they contain
> things like secret keys to encryption, etc that will allow a malicious
> user to pretend to be the machine that they have access to the backups of.
>  Protect your backups carefully!

Yes, I've crypted them via gpg :-)

> --
>    Sam Vilain, sam@vilain.net     WWW: http://sam.vilain.net/
>     7D74 2A09 B2D3 C30F F78E      GPG: http://sam.vilain.net/sam.asc
>     278A A425 30A9 05B5 2F13
> Real Programmers don't write in Fortran.  Fortran is for wimp       
> engineers who wear white socks.  They get excited over finite state
> analysis and nuclear reactor simulation.

many thanks

Boris Daix

	"Feel free to be free, or not to be..."

To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: