Sysadmining

From Steak Wiki
Revision as of 06:44, 9 December 2020 by Adminguy (talk | contribs) (→‎More Secure Rsync Backup)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

More Secure Rsync Backup

goal: automate rsync using ssh key. don't allow other commands besides rsync

architecture: client sends to server using rsync and ssh key.

on client:

ssh-copy-id  server@ip

on client: cmd will be: 

rsync -ravPz -e "ssh -v" /somedir/files* me@ipaddress:~/backupfolder/2nddir

(recursive, verbose, partial, compress)

on server:

edit home/user/.ssh/authorized_keys prepend before the key e.g. 

command="rsync --server -vlogDtprCz . /home/user/backupfolder/2nddir",no-pty,no-agent-forwarding,no-port-forwarding ssh-rsa AAAA...


then from client, run the command already mentioned in shell. afterwards, it can be scripted. to verify ssh can't be used for arbitrary stuff, try ssh -v me@ipaddress, it should time out. and do nothing. the verbose tells you where it stalls: 

debug1: Remote: Forced command.
debug1: Remote: PTY allocation disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Port forwarding disabled.
debug1: Remote: Forced command.
debug1: Remote: PTY allocation disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Port forwarding disabled.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
PTY allocation request failed on channel 0

and it sits until timeout. omit verbose flags after testing.

Client pull from server

Exact same as above, except 

"rsync --server -vlogDtprCz . /home/user/backupfolder/2nddir"

should be 

"rsync --server --sender -vlogDtprCz /home/server/backupfolder/ ."

So add --sender, and swap the paths, so that the server path is listed.

references

http://web.archive.org/web/20200225215752/http://www.sakana.fr/blog/2008/05/07/securing-automated-rsync-over-ssh/ https://web.archive.org/web/20160518004920/http://serverfault.com/questions/343668/rsync-with-ssh-keygen-to-ssh-user-with-limited-commands-and-specifc-directory https://serverfault.com/questions/343668/rsync-with-ssh-keygen-to-ssh-user-with-limited-commands-and-specifc-directory

note: rrsync is confusing. too much for avg man to handle in 15 minutes of sysadminning

these guides did not help: https://web.archive.org/web/20201019213926/http://ramblings.narrabilis.com/using-rsync-with-ssh

https://stackoverflow.com/questions/21498667/how-to-limit-user-commands-in-linux only command seems too much for this solution (later answers). the amount of configuration listed by first answer (dodzi) is insane. lets play spot the bullshit.

http://web.archive.org/web/20200222224151/http://at.magma-soft.at/sw/blog/posts/The_Only_Way_For_SSH_Forced_Commands/ again, only is too much complexity for a 15 minute task. allowing one command via ssh authorized keys is faster.

is it 100% secure?

no. but it is more secure than just leaving keys with full permissions on a server.

Retrieved from "http://steakwiki.com/index.php?title=Sysadmining&oldid=889"