Re: utilisateur backup
Sam Vilain <sam@vilain.net> writes:
> Boris Daix <Boris.Daix@insa-lyon.fr> wrote:
>
>> - Can I safely give an SSH key to my backup user without any
>> passphrase so that it could be automated via cron ?
>
> You can use `ssh-keygen -f single_action_key' to create a key for remote execution of scripts.
>
> On the remote end, add this key to the `.ssh/authorized_keys' file. You should add a forced command so that only one command may be executed with that key.
Good, really interesting !
> For rsync(1), you need to capture the exact switches of the rsync server
> command.
But I use rsync like a remote copy tool (scp), so do I need this ? If
so, I need tips to better understand what follows... :-)
> To do this, you can use this script on the destination server:
>
> #!/usr/bin/perl
> open CAPTURE, ">$ENV{HOME}/capture.log";
> print CAPTURE "@ARGV\n";
> close CAPTURE;
>
> Then add --rsync-path=/path/to/script to your rsync command line. This
> will leave something similar to the following in the destination
> ~/capture.log:
>
> --server -vlgtpr --partial . yourhost
>
> So, you would use an authorized_keys entry like this (all one line):
>
> command="rsync --server -vlogDtpr --partial . yourhost",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,1024 35 23...2334 Server backup key
>
> For more complete security, you could add a `chroot' jail to the above
> command.
Are jails useful with rsync used like scp ?
>> - Is amanda appropriate for this task and would it be more secure
>> to use it instead ?
>> - If it is unsecure, how would I do such backups without having to
>> enter passpgrase/passwd ?
>
> System backups are always an easy entry point, very often they contain
> things like secret keys to encryption, etc that will allow a malicious
> user to pretend to be the machine that they have access to the backups of.
> Protect your backups carefully!
Yes, I've crypted them via gpg :-)
> --
> Sam Vilain, sam@vilain.net WWW: http://sam.vilain.net/
> 7D74 2A09 B2D3 C30F F78E GPG: http://sam.vilain.net/sam.asc
> 278A A425 30A9 05B5 2F13
>
> Real Programmers don't write in Fortran. Fortran is for wimp
> engineers who wear white socks. They get excited over finite state
> analysis and nuclear reactor simulation.
>
many thanks
--
Boris Daix
"Feel free to be free, or not to be..."
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: