Backup Central

If I want to allow *only* rdiff backup to use an ssh link between two
machines what's the best way of setting it up?

What I want to be able to do is set up a [relatively] insecure
passwordless ssh link, i.e. a private key at one end with no
passphrase, but make it fairly secure by only allowing rdiff-backup to
run across that connection.

If I simply put "ForceCommand rdiff-backup" at the ssh 'server' end
will it do what I want or do I need to put the exact rdiff-backup
remote end command there? .... or is there a better/easier way to
achieve what I want to do?

--
Chris Green



_______________________________________________
rdiff-backup-users mailing list at rdiff-backup-users < at > nongnu.org
http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki

Hi Chris,

Sounds like you are on the right track.
ForceCommand may work, try it, some more thoughts bellow.

If you need more, I have an svnuser which allows multiple svnusers to
connect with keys.

Create a new user just for this one task.
You can have multiple keys with this method hence multiple clients.

Place (all on one line) something like this in
/home/svnuser/.ssh/authorized_keys:
command="svnserve -t -r /var/svnrepos/
--tunnel-user=svnuser",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty
ssh-dss KEY1
command="svnserve -t -r /var/svnrepos/
--tunnel-user=svnuser",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty
ssh-dss KEY2

In /etc/passwd limit the new user:
svnuser:x:1001:1001:,,,:/home/svnuser:/bin/rbash

mkdir /home/svnuser/usr/bin/
ln -s /usr/bin/rdiff-backup /home/svnuser/usr/bin/rdiff-backup

Check permissions:
ls -al /home/svnuser/.ssh/
total 12
drwx------ 2 svnuser svnuser 4096 2009-05-27 21:17 .
drwxr-xr-x 5 svnuser svnuser 4096 2009-06-06 00:18 ..
-rw-r----- 1 root svnuser 2916 2009-08-09 16:35 authorized_keys
-rw-rw---- 1 svnuser svnuser 0 2009-03-19 21:41 known_hosts

Now that should be a very restricted user unless I have forgotten
something

Cheers
Gavin

Chris G wrote:
If I want to allow *only* rdiff backup to use an ssh link between two
machines what's the best way of setting it up?

What I want to be able to do is set up a [relatively] insecure
passwordless ssh link, i.e. a private key at one end with no
passphrase, but make it fairly secure by only allowing rdiff-backup to
run across that connection.

If I simply put "ForceCommand rdiff-backup" at the ssh 'server' end
will it do what I want or do I need to put the exact rdiff-backup
remote end command there? .... or is there a better/easier way to
achieve what I want to do?




_______________________________________________
rdiff-backup-users mailing list at rdiff-backup-users < at > nongnu.org
http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki

On Wed, Dec 23, 2009 at 11:08:50PM +0100, Giorgio wrote:
Hi,

2009/12/23 Chris G <[1]cl < at > isbd.net>

If I want to allow *only* rdiff backup to use an ssh link between two
machines what's the best way of setting it up?

There's a good howto here:

[2]http://arctic.org/~dean/rdiff-backup/unattended.html

Yes, thanks, that's very useful.

--
Chris Green



_______________________________________________
rdiff-backup-users mailing list at rdiff-backup-users < at > nongnu.org
http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki