Re: utilisateur backup

To: Sam Vilain <sam@vilain.net>
Cc: debian-security@lists.debian.org, Boris.Daix@insa-lyon.fr
Subject: Re: utilisateur backup
From: Boris Daix <Boris.Daix@insa-lyon.fr>
Date: Tue, 23 Jul 2002 22:45:48 +0200
Message-id: <[🔎] 87heiqnpfn.fsf@pulsar.resi.insa-lyon.fr>
In-reply-to: <[🔎] 20020722095012.ED43D1A39@hofmann> (Sam Vilain's message of "Mon, 22 Jul 2002 10:50:12 +0100")
References: <[🔎] 87ofd411s9.fsf@pulsar.resi.insa-lyon.fr> <[🔎] 20020722095012.ED43D1A39@hofmann>

Sam Vilain <sam@vilain.net> writes:

> Boris Daix <Boris.Daix@insa-lyon.fr> wrote:
>
>>    - Can I safely give an SSH key to my backup user without any
>>      passphrase so that it could be automated via cron ?
>
> You can use `ssh-keygen -f single_action_key' to create a key for remote execution of scripts.
>
> On the remote end, add this key to the `.ssh/authorized_keys' file.  You should add a forced command so that only one command may be executed with that key.

Good, really interesting !

> For rsync(1), you need to capture the exact switches of the rsync server
> command. 

But I use rsync like a remote copy tool (scp), so do I need this ? If
so, I need tips to better understand what follows... :-)

> To do this, you can use this script on the destination server:
>
> #!/usr/bin/perl
> open CAPTURE, ">$ENV{HOME}/capture.log";
> print CAPTURE "@ARGV\n";
> close CAPTURE;
>
> Then add --rsync-path=/path/to/script to your rsync command line.  This
> will leave something similar to the following in the destination
> ~/capture.log:
>
> --server -vlgtpr --partial . yourhost
>
> So, you would use an authorized_keys entry like this (all one line):
>
> command="rsync --server -vlogDtpr --partial . yourhost",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,1024 35 23...2334 Server backup key
>
> For more complete security, you could add a `chroot' jail to the above
> command.

Are jails useful with rsync used like scp ?

>>    - Is amanda appropriate for this task and would it be more secure
>>      to use it instead ?
>>    - If it is unsecure, how would I do such backups without having to
>>      enter passpgrase/passwd ?
>
> System backups are always an easy entry point, very often they contain
> things like secret keys to encryption, etc that will allow a malicious
> user to pretend to be the machine that they have access to the backups of.
>  Protect your backups carefully!

Yes, I've crypted them via gpg :-)

> --
>    Sam Vilain, sam@vilain.net     WWW: http://sam.vilain.net/
>     7D74 2A09 B2D3 C30F F78E      GPG: http://sam.vilain.net/sam.asc
>     278A A425 30A9 05B5 2F13
>
> Real Programmers don't write in Fortran.  Fortran is for wimp       
> engineers who wear white socks.  They get excited over finite state
> analysis and nuclear reactor simulation.
>

many thanks

-- 
Boris Daix

	"Feel free to be free, or not to be..."


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- utilisateur backup
  - From: Boris Daix <Boris.Daix@insa-lyon.fr>
- Re: utilisateur backup
  - From: Sam Vilain <sam@vilain.net>

Prev by Date: Re: [d-security] Re: Apache + PHP and user permissions
Next by Date: Re: Can you direct kernel messages?
Previous by thread: Re: utilisateur backup
Next by thread: Recent fun on Debian-Security
Index(es):
- Date
- Thread