1 |
>> >> > You can seperate the backups by giving each system a different |
2 |
>> >> > account |
3 |
>> >> > where to store the backups. |
4 |
>> >> |
5 |
>> >> I'm not sure what you mean. The backups are all stored on the backup |
6 |
>> >> server. |
7 |
>> > |
8 |
>> > Each machine to be backed up has a different account on the backup |
9 |
>> > server. This will prevent machine A from accessing the backups of |
10 |
>> > machine B. |
11 |
>> > |
12 |
>> > This way, if one machine is compromised, only this machines backups can |
13 |
>> > be accessed using the access-keys for the backup. And this machines |
14 |
>> > keys can then be revoked without affecting other backups. |
15 |
>> |
16 |
>> That's a great idea. I will do that. Should that backup account have |
17 |
>> any special configuration, or just a standard new user? |
18 |
> |
19 |
> I would suspect just a standard new user with default permissions. |
20 |
> Eg. only write-access to his/her own files. |
21 |
> |
22 |
> And I'd prevent that user account from being able to get a shell-account. |
23 |
|
24 |
I created the backup users and everything works as long as the backup |
25 |
users have shells on the backup server and are listed in AllowUsers in |
26 |
/etc/ssh/sshd_config on the backup server. Did I do something wrong |
27 |
or should the backup users need shells and to be listed in AllowUsers? |
28 |
|
29 |
Should I set up any extra restrictions for them in sshd_config? |
30 |
Should I set passwords for them? |
31 |
|
32 |
- Grant |
33 |
|
34 |
|
35 |
> A ".bashrc" with "exit" as the last or first entry is a nice touch. Especially |
36 |
> if you set the permissions such that it works for the user but the user can |
37 |
> never change that file. |
38 |
> |
39 |
> -- |
40 |
> Joost |