On 12/17/06, Thorsten Schmidt <meine_mailings@web.de> wrote:
However, this requires alpha having a ssh-key. Furthermore I'm not in charge with alpha's security, thus I've to make sure, that a attacker, who gained access to alpha's ssh-key is not able to compromis beta (well, he might be able to delete / modify the backup'ed data, but this might be circumvented by regularly tar the backed up data). Thus my question is: How should I configure / secure beta to prevent this?
Something that we've done in the past is to run some sort of vpn solution (openswan or openvpn), and then to use straight rsync (rather than rsync over ssh). That pretty much removes the dangers of giving ssh access (which could potentially hand someone a shell). Using ssl keys with your vpn solution means that you get the same private/public key advantages as with ssh. Of course he'd still be able to abuse a hole in rsync, but I think the risk is at least lower.