Difference between revisions of "Sysadmining"

From Steak Wiki
Jump to navigationJump to search
(Created page with "<small> ==More Secure Rsync Backup== goal: automate rsync using ssh key. don't allow other commands besides rsync architecture: client sends to server using rsync and ssh key...")
 
 
(3 intermediate revisions by the same user not shown)
Line 34: Line 34:
 
PTY allocation request failed on channel 0</pre>
 
PTY allocation request failed on channel 0</pre>
  
and it sits until timeout
+
and it sits until timeout. omit verbose flags after testing.
 
 
  
 +
====Client pull from server====
 +
Exact same as above, except
 +
"rsync --server -vlogDtprCz . /home/user/backupfolder/2nddir"
 +
should be
 +
"rsync --server --sender -vlogDtprCz /home/server/backupfolder/ ."
 +
So add --sender, and swap the paths, so that the server path is listed.
  
 
===references===
 
===references===
Line 49: Line 54:
  
 
https://stackoverflow.com/questions/21498667/how-to-limit-user-commands-in-linux
 
https://stackoverflow.com/questions/21498667/how-to-limit-user-commands-in-linux
only command seems too much for this solution (later answers)
+
only command seems too much for this solution (later answers).
 
the amount of configuration listed by first answer (dodzi) is insane. lets play spot the bullshit.
 
the amount of configuration listed by first answer (dodzi) is insane. lets play spot the bullshit.
  
Line 56: Line 61:
  
 
===is it 100% secure?===
 
===is it 100% secure?===
no. but its more secure than just leaving keys with full permissions on a server.
+
no. but it is more secure than just leaving keys with full permissions on a server.
 
</small>
 
</small>

Latest revision as of 06:44, 9 December 2020

More Secure Rsync Backup

goal: automate rsync using ssh key. don't allow other commands besides rsync

architecture: client sends to server using rsync and ssh key.

on client:

ssh-copy-id  server@ip

on client: cmd will be:

rsync -ravPz -e "ssh -v" /somedir/files* me@ipaddress:~/backupfolder/2nddir

(recursive, verbose, partial, compress)

on server:

edit home/user/.ssh/authorized_keys prepend before the key e.g.

command="rsync --server -vlogDtprCz . /home/user/backupfolder/2nddir",no-pty,no-agent-forwarding,no-port-forwarding ssh-rsa AAAA...


then from client, run the command already mentioned in shell. afterwards, it can be scripted. to verify ssh can't be used for arbitrary stuff, try ssh -v me@ipaddress, it should time out. and do nothing. the verbose tells you where it stalls:

debug1: Remote: Forced command.
debug1: Remote: PTY allocation disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Port forwarding disabled.
debug1: Remote: Forced command.
debug1: Remote: PTY allocation disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Port forwarding disabled.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
PTY allocation request failed on channel 0

and it sits until timeout. omit verbose flags after testing.

Client pull from server

Exact same as above, except

"rsync --server -vlogDtprCz . /home/user/backupfolder/2nddir"

should be

"rsync --server --sender -vlogDtprCz /home/server/backupfolder/ ."

So add --sender, and swap the paths, so that the server path is listed.

references

http://web.archive.org/web/20200225215752/http://www.sakana.fr/blog/2008/05/07/securing-automated-rsync-over-ssh/ https://web.archive.org/web/20160518004920/http://serverfault.com/questions/343668/rsync-with-ssh-keygen-to-ssh-user-with-limited-commands-and-specifc-directory https://serverfault.com/questions/343668/rsync-with-ssh-keygen-to-ssh-user-with-limited-commands-and-specifc-directory

note: rrsync is confusing. too much for avg man to handle in 15 minutes of sysadminning

these guides did not help: https://web.archive.org/web/20201019213926/http://ramblings.narrabilis.com/using-rsync-with-ssh

https://stackoverflow.com/questions/21498667/how-to-limit-user-commands-in-linux only command seems too much for this solution (later answers). the amount of configuration listed by first answer (dodzi) is insane. lets play spot the bullshit.

http://web.archive.org/web/20200222224151/http://at.magma-soft.at/sw/blog/posts/The_Only_Way_For_SSH_Forced_Commands/ again, only is too much complexity for a 15 minute task. allowing one command via ssh authorized keys is faster.

is it 100% secure?

no. but it is more secure than just leaving keys with full permissions on a server.