Difference between revisions of "Sysadmining"
(Created page with "<small> ==More Secure Rsync Backup== goal: automate rsync using ssh key. don't allow other commands besides rsync architecture: client sends to server using rsync and ssh key...") |
|||
| (3 intermediate revisions by the same user not shown) | |||
| Line 34: | Line 34: | ||
PTY allocation request failed on channel 0</pre> | PTY allocation request failed on channel 0</pre> | ||
| − | and it sits until timeout | + | and it sits until timeout. omit verbose flags after testing. |
| − | |||
| + | ====Client pull from server==== | ||
| + | Exact same as above, except | ||
| + | "rsync --server -vlogDtprCz . /home/user/backupfolder/2nddir" | ||
| + | should be | ||
| + | "rsync --server --sender -vlogDtprCz /home/server/backupfolder/ ." | ||
| + | So add --sender, and swap the paths, so that the server path is listed. | ||
===references=== | ===references=== | ||
| Line 49: | Line 54: | ||
https://stackoverflow.com/questions/21498667/how-to-limit-user-commands-in-linux | https://stackoverflow.com/questions/21498667/how-to-limit-user-commands-in-linux | ||
| − | only command seems too much for this solution (later answers) | + | only command seems too much for this solution (later answers). |
the amount of configuration listed by first answer (dodzi) is insane. lets play spot the bullshit. | the amount of configuration listed by first answer (dodzi) is insane. lets play spot the bullshit. | ||
| Line 56: | Line 61: | ||
===is it 100% secure?=== | ===is it 100% secure?=== | ||
| − | no. but | + | no. but it is more secure than just leaving keys with full permissions on a server. |
</small> | </small> | ||
Latest revision as of 06:44, 9 December 2020
More Secure Rsync Backup
goal: automate rsync using ssh key. don't allow other commands besides rsync
architecture: client sends to server using rsync and ssh key.
on client:
ssh-copy-id server@ip
on client: cmd will be:
rsync -ravPz -e "ssh -v" /somedir/files* me@ipaddress:~/backupfolder/2nddir
(recursive, verbose, partial, compress)
on server:
edit home/user/.ssh/authorized_keys prepend before the key e.g.
command="rsync --server -vlogDtprCz . /home/user/backupfolder/2nddir",no-pty,no-agent-forwarding,no-port-forwarding ssh-rsa AAAA...
then from client, run the command already mentioned in shell. afterwards, it can be scripted. to verify ssh can't be used for arbitrary stuff, try ssh -v me@ipaddress, it should time out. and do nothing. the verbose tells you where it stalls:
debug1: Remote: Forced command. debug1: Remote: PTY allocation disabled. debug1: Remote: Agent forwarding disabled. debug1: Remote: Port forwarding disabled. debug1: Remote: Forced command. debug1: Remote: PTY allocation disabled. debug1: Remote: Agent forwarding disabled. debug1: Remote: Port forwarding disabled. debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 PTY allocation request failed on channel 0
and it sits until timeout. omit verbose flags after testing.
Client pull from server
Exact same as above, except
"rsync --server -vlogDtprCz . /home/user/backupfolder/2nddir"
should be
"rsync --server --sender -vlogDtprCz /home/server/backupfolder/ ."
So add --sender, and swap the paths, so that the server path is listed.
references
http://web.archive.org/web/20200225215752/http://www.sakana.fr/blog/2008/05/07/securing-automated-rsync-over-ssh/ https://web.archive.org/web/20160518004920/http://serverfault.com/questions/343668/rsync-with-ssh-keygen-to-ssh-user-with-limited-commands-and-specifc-directory https://serverfault.com/questions/343668/rsync-with-ssh-keygen-to-ssh-user-with-limited-commands-and-specifc-directory
note: rrsync is confusing. too much for avg man to handle in 15 minutes of sysadminning
these guides did not help: https://web.archive.org/web/20201019213926/http://ramblings.narrabilis.com/using-rsync-with-ssh
https://stackoverflow.com/questions/21498667/how-to-limit-user-commands-in-linux only command seems too much for this solution (later answers). the amount of configuration listed by first answer (dodzi) is insane. lets play spot the bullshit.
http://web.archive.org/web/20200222224151/http://at.magma-soft.at/sw/blog/posts/The_Only_Way_For_SSH_Forced_Commands/ again, only is too much complexity for a 15 minute task. allowing one command via ssh authorized keys is faster.
is it 100% secure?
no. but it is more secure than just leaving keys with full permissions on a server.
