Difference between revisions of "Sysadmining"

From Steak Wiki
Jump to navigationJump to search
(Created page with "<small> ==More Secure Rsync Backup== goal: automate rsync using ssh key. don't allow other commands besides rsync architecture: client sends to server using rsync and ssh key...")
 
Line 49: Line 49:
  
 
https://stackoverflow.com/questions/21498667/how-to-limit-user-commands-in-linux
 
https://stackoverflow.com/questions/21498667/how-to-limit-user-commands-in-linux
only command seems too much for this solution (later answers)
+
only command seems too much for this solution (later answers).
 
the amount of configuration listed by first answer (dodzi) is insane. lets play spot the bullshit.
 
the amount of configuration listed by first answer (dodzi) is insane. lets play spot the bullshit.
  

Revision as of 17:48, 3 December 2020

More Secure Rsync Backup

goal: automate rsync using ssh key. don't allow other commands besides rsync

architecture: client sends to server using rsync and ssh key.

on client:

ssh-copy-id  server@ip

on client: cmd will be: 

rsync -ravPz -e "ssh -v" /somedir/files* me@ipaddress:~/backupfolder/2nddir

(recursive, verbose, partial, compress)

on server:

edit home/user/.ssh/authorized_keys prepend before the key e.g. 

command="rsync --server -vlogDtprCz . /home/user/backupfolder/2nddir",no-pty,no-agent-forwarding,no-port-forwarding ssh-rsa AAAA...


then from client, run the command already mentioned in shell. afterwards, it can be scripted. to verify ssh can't be used for arbitrary stuff, try ssh -v me@ipaddress, it should time out. and do nothing. the verbose tells you where it stalls: 

debug1: Remote: Forced command.
debug1: Remote: PTY allocation disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Port forwarding disabled.
debug1: Remote: Forced command.
debug1: Remote: PTY allocation disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Port forwarding disabled.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
PTY allocation request failed on channel 0

and it sits until timeout


references

http://web.archive.org/web/20200225215752/http://www.sakana.fr/blog/2008/05/07/securing-automated-rsync-over-ssh/ https://web.archive.org/web/20160518004920/http://serverfault.com/questions/343668/rsync-with-ssh-keygen-to-ssh-user-with-limited-commands-and-specifc-directory https://serverfault.com/questions/343668/rsync-with-ssh-keygen-to-ssh-user-with-limited-commands-and-specifc-directory

note: rrsync is confusing. too much for avg man to handle in 15 minutes of sysadminning

these guides did not help: https://web.archive.org/web/20201019213926/http://ramblings.narrabilis.com/using-rsync-with-ssh

https://stackoverflow.com/questions/21498667/how-to-limit-user-commands-in-linux only command seems too much for this solution (later answers). the amount of configuration listed by first answer (dodzi) is insane. lets play spot the bullshit.

http://web.archive.org/web/20200222224151/http://at.magma-soft.at/sw/blog/posts/The_Only_Way_For_SSH_Forced_Commands/ again, only is too much complexity for a 15 minute task. allowing one command via ssh authorized keys is faster.

is it 100% secure?

no. but its more secure than just leaving keys with full permissions on a server.

Retrieved from "http://steakwiki.com/index.php?title=Sysadmining&oldid=871"