Re: Question about ssh passwords and backup software

To: debian-user@lists.debian.org
Subject: Re: Question about ssh passwords and backup software
From: Chris Davies <chris-usenet@roaima.co.uk>
Date: Mon, 13 Feb 2012 18:51:26 +0000
Message-id: <[🔎] em2o09x547.ln2@news.roaima.co.uk>
Reply-to: chris@roaima.co.uk
References: <[🔎] 20120213173652.GA26236@big.lan.gnu> <[🔎] 4F394B4D.9090109@biotec.tu-dresden.de>

Alex Mestiashvili <alex@biotec.tu-dresden.de> wrote:
> I would simply use a passwordless ssh-key with a wrapper on the remote
> side which allows to run only the backup command .

I'd agree with this, but use passwordless public/private keys with a
restricted target command. See man sshd and the AUTHORIZED_KEYS FILE
FORMAT section for some details. An example would be something like this
in the target machine's .ssh/authorized_keys file:

command="backup-service",no-pty,no-port-forwarding ssh-rsa BLAHBLAHBLAH...

The "backup-service" script can look at the SSH_ORIGINAL_COMMAND variable
to sanity-check it before execution. So, if your client-side backup script
really wants to use rsync, it can do so (and SSH_ORIGINAL_COMMAND would
contain the entire command line ready for the server to execute once it
was happy it was "safe" to do so).

Chris

Reply to:

Follow-Ups:
- Re: Question about ssh passwords and backup software
  - From: vogelke+debian@pobox.com (Karl Vogel)

References:
- Question about ssh passwords and backup software
  - From: Paul E Condon <pecondon@mesanetworks.net>
- Re: Question about ssh passwords and backup software
  - From: Alex Mestiashvili <alex@biotec.tu-dresden.de>

Prev by Date: Re: Aptana and Iceweasel
Next by Date: Re: how are html pages printed?
Previous by thread: Re: Question about ssh passwords and backup software
Next by thread: Re: Question about ssh passwords and backup software
Index(es):
- Date
- Thread