| 1 |
On 08/17/11 13:35, Grant wrote: |
| 2 |
>>> Is there a way to |
| 3 |
>>> restrict SSH keys to the rsync command? |
| 4 |
>> |
| 5 |
>> Yes, via the "authorized_keys" file. you can add a "command" directive. this |
| 6 |
>> will always force that command to be executed whenever a connection is made |
| 7 |
>> using this key. |
| 8 |
> |
| 9 |
> I'm using the command directive with rdiff-backup like |
| 10 |
> command="rdiff-backup --server" but I can't figure out the rsync |
| 11 |
> command to specify. Is anyone restricting an SSK key to rsync with |
| 12 |
> the command directive? |
| 13 |
> |
| 14 |
|
| 15 |
We're doing the same thing for our backups. Here's that chunk of our |
| 16 |
documentation, if it's helpful. |
| 17 |
|
| 18 |
|
| 19 |
=== rdiff-backup Client === |
| 20 |
|
| 21 |
==== Creating the Remote User ==== |
| 22 |
|
| 23 |
First, create a new system user on the backup server. Log in (as root), |
| 24 |
and run, |
| 25 |
|
| 26 |
useradd -d /home/<username> -m <username> |
| 27 |
|
| 28 |
The ''-d'' parameter sets the home directory, and ''-m'' creates it |
| 29 |
automatically. |
| 30 |
|
| 31 |
The rdiff-backup program uses SSH to synchronize the local and remote |
| 32 |
filesystems. As a result, non-interactive operation requires a |
| 33 |
server/client certificate pair. Furthermore, we cannot prevent shell |
| 34 |
logins for our new user account. |
| 35 |
|
| 36 |
Give it a reasonably-complex password. You'll only need to type it twice: |
| 37 |
|
| 38 |
passwd <username> |
| 39 |
|
| 40 |
==== Installing rdiff-backup ==== |
| 41 |
|
| 42 |
First things first; install rdiff-backup on the client. In Gentoo, all |
| 43 |
this requires is the following, |
| 44 |
|
| 45 |
emerge rdiff-backup |
| 46 |
|
| 47 |
If that works, go ahead and continue. |
| 48 |
|
| 49 |
==== Setting up SSH Authentication ==== |
| 50 |
|
| 51 |
For now, we're done on the backup server. Log in to the client server |
| 52 |
(the one to be backed up) as root. We need to generate an SSH key pair: |
| 53 |
|
| 54 |
ssh-keygen |
| 55 |
|
| 56 |
Name the file something informative when asked. '''Do not create a |
| 57 |
password for the key file.''' For example, your private key for |
| 58 |
<backup_server> might be named ~/.ssh/<backup_server>_rsa. Now, copy the |
| 59 |
public key, e.g. ~/.ssh/<backup_server>_rsa.pub to the backup server |
| 60 |
using the user that we created earlier. |
| 61 |
|
| 62 |
scp ~/.ssh/<public_key_file> <remote_user>@<backup_server>:~/ |
| 63 |
|
| 64 |
|
| 65 |
And add a section to the local ~/.ssh/config file which corresponds to |
| 66 |
the backup server. This forces the local machine to authenticate to the |
| 67 |
backup server using its key rather than a password. |
| 68 |
|
| 69 |
<pre> |
| 70 |
Host <backup_server_hostname> |
| 71 |
Hostname <backup_server_hostname> |
| 72 |
IdentityFile ~/.ssh/<private_key_file> |
| 73 |
IdentitiesOnly yes |
| 74 |
</pre> |
| 75 |
|
| 76 |
|
| 77 |
Now, ssh into the backup server as your new user. Our goal is to add |
| 78 |
this key as "trusted," allowing anyone with the corresponding key to |
| 79 |
connect as this user. On the backup server (as our new user), execute, |
| 80 |
|
| 81 |
cat <public_key_file> >> ~/.ssh/authorized_keys |
| 82 |
rm <public_key_file> |
| 83 |
|
| 84 |
and add the following to the authorized_keys file manually. Add it at |
| 85 |
the beginning of the line for the new public key. |
| 86 |
|
| 87 |
command="/usr/bin/rdiff-backup --server",no-pty,no-port-forwarding |
| 88 |
|
| 89 |
This will restrict the user with this public key to executing only the |
| 90 |
rdiff-server command. |
Archives