1 |
On 08/17/11 13:35, Grant wrote: |
2 |
>>> Is there a way to |
3 |
>>> restrict SSH keys to the rsync command? |
4 |
>> |
5 |
>> Yes, via the "authorized_keys" file. you can add a "command" directive. this |
6 |
>> will always force that command to be executed whenever a connection is made |
7 |
>> using this key. |
8 |
> |
9 |
> I'm using the command directive with rdiff-backup like |
10 |
> command="rdiff-backup --server" but I can't figure out the rsync |
11 |
> command to specify. Is anyone restricting an SSK key to rsync with |
12 |
> the command directive? |
13 |
> |
14 |
|
15 |
We're doing the same thing for our backups. Here's that chunk of our |
16 |
documentation, if it's helpful. |
17 |
|
18 |
|
19 |
=== rdiff-backup Client === |
20 |
|
21 |
==== Creating the Remote User ==== |
22 |
|
23 |
First, create a new system user on the backup server. Log in (as root), |
24 |
and run, |
25 |
|
26 |
useradd -d /home/<username> -m <username> |
27 |
|
28 |
The ''-d'' parameter sets the home directory, and ''-m'' creates it |
29 |
automatically. |
30 |
|
31 |
The rdiff-backup program uses SSH to synchronize the local and remote |
32 |
filesystems. As a result, non-interactive operation requires a |
33 |
server/client certificate pair. Furthermore, we cannot prevent shell |
34 |
logins for our new user account. |
35 |
|
36 |
Give it a reasonably-complex password. You'll only need to type it twice: |
37 |
|
38 |
passwd <username> |
39 |
|
40 |
==== Installing rdiff-backup ==== |
41 |
|
42 |
First things first; install rdiff-backup on the client. In Gentoo, all |
43 |
this requires is the following, |
44 |
|
45 |
emerge rdiff-backup |
46 |
|
47 |
If that works, go ahead and continue. |
48 |
|
49 |
==== Setting up SSH Authentication ==== |
50 |
|
51 |
For now, we're done on the backup server. Log in to the client server |
52 |
(the one to be backed up) as root. We need to generate an SSH key pair: |
53 |
|
54 |
ssh-keygen |
55 |
|
56 |
Name the file something informative when asked. '''Do not create a |
57 |
password for the key file.''' For example, your private key for |
58 |
<backup_server> might be named ~/.ssh/<backup_server>_rsa. Now, copy the |
59 |
public key, e.g. ~/.ssh/<backup_server>_rsa.pub to the backup server |
60 |
using the user that we created earlier. |
61 |
|
62 |
scp ~/.ssh/<public_key_file> <remote_user>@<backup_server>:~/ |
63 |
|
64 |
|
65 |
And add a section to the local ~/.ssh/config file which corresponds to |
66 |
the backup server. This forces the local machine to authenticate to the |
67 |
backup server using its key rather than a password. |
68 |
|
69 |
<pre> |
70 |
Host <backup_server_hostname> |
71 |
Hostname <backup_server_hostname> |
72 |
IdentityFile ~/.ssh/<private_key_file> |
73 |
IdentitiesOnly yes |
74 |
</pre> |
75 |
|
76 |
|
77 |
Now, ssh into the backup server as your new user. Our goal is to add |
78 |
this key as "trusted," allowing anyone with the corresponding key to |
79 |
connect as this user. On the backup server (as our new user), execute, |
80 |
|
81 |
cat <public_key_file> >> ~/.ssh/authorized_keys |
82 |
rm <public_key_file> |
83 |
|
84 |
and add the following to the authorized_keys file manually. Add it at |
85 |
the beginning of the line for the new public key. |
86 |
|
87 |
command="/usr/bin/rdiff-backup --server",no-pty,no-port-forwarding |
88 |
|
89 |
This will restrict the user with this public key to executing only the |
90 |
rdiff-server command. |