Backup Central

Dear List,

I read through the archives and got confused...

My (hopefully) simple question is this:

What is the command that is being executed on my remote system "aetna"
if the output of
"rsnapshot -t hourly" is this:

/usr/bin/rsync -a --delete --numeric-ids --relative --delete-excluded \
--rsh=/usr/bin/ssh
--link-dest=/bfo_backups2/.snapshots/hourly.1/aetna/ \
root < at > aetna:/home /bfo_backups2/.snapshots/hourly.0/aetna/

My intention is to prepend my key in "authorized_keys" on aetna to make
the whole process safer.

command=" ??? " ssh-dsa .....long key here... root < at > rsnapshot-server

thanks for your help


-Ruedi



------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
rsnapshot-discuss mailing list
rsnapshot-discuss < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rsnapshot-discuss

See below:
master-node is the server with is holding your rsync
backup server is the server where you pull your data of


Key-based (passwordless) SSH authentication:
Step #1 Before you start make sure that the config file
'/etc/ssh/sshd_config' on the remote server where you want to store the
backups on has the line

PermitRootLogin yes
... in it. If it has not, change that line there and do not forget to
restart SSHd afterwards with this command:

/etc/init.d/sshd restart

Step #2 SSH to the master-node as user 'admin' and login with your admin
password.
Step #3 Run the command
su -
to gain superuser (root) access. Enter your admin password again.

Step #4 Run this command:
ssh-keygen -t rsa
When you do so, this tool will ask you three questions. Like where to store
the key and for the passphrase. just press the 'return' or 'enter' key three
times until you are back and the command prompt. Please follow this
instructions closely and do not enter a passphrase! Three times 'return' or
'enter' will do fine.

Step #5 Now run this command, but replace 'remote_host' with the hostname
of the server where you want to store the backups on:
scp ~/.ssh/id_rsa.pub root < at > remote_host:~/
That command will take the public RSA key which we just generated in Step #4
and will transfer it to the storage server.

Step #6 Now run this command, but replace 'remote_host' with the hostname
of the server where you want to store the backups on:
ssh root < at > remote_host
Enter the root password of the remote server and press 'enter'.

Step #7 Now run the following three commands:
cat id_rsa.pub >> .ssh/authorized_keys
rm id_rsa.pub
exit

Step #8 Now test if you can connect from the master-node to the backup
server without password - of course you again replace 'remote_host' with the
hostname of the backup server:
ssh root < at > remote_host

If it allows you to connect without password, then you are done. Just type
...
exit
... again to return to the master-node.

-----Oorspronkelijk bericht-----
Van: Rudolf Widmer-Schnidrig [mailto:widmer < at > geophys.uni-stuttgart.de]
Verzonden: maandag 16 januari 2012 11:18
Aan: rsnapshot-discuss < at > lists.sourceforge.net
Onderwerp: [rsnapshot-discuss] command for ssh public-key

Dear List,

I read through the archives and got confused...

My (hopefully) simple question is this:

What is the command that is being executed on my remote system "aetna"
if the output of
"rsnapshot -t hourly" is this:

/usr/bin/rsync -a --delete --numeric-ids --relative --delete-excluded \
--rsh=/usr/bin/ssh
--link-dest=/bfo_backups2/.snapshots/hourly.1/aetna/ \
root < at > aetna:/home /bfo_backups2/.snapshots/hourly.0/aetna/

My intention is to prepend my key in "authorized_keys" on aetna to make
the whole process safer.

command=" ??? " ssh-dsa .....long key here... root < at > rsnapshot-server

thanks for your help


-Ruedi



----------------------------------------------------------------------------
--
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
rsnapshot-discuss mailing list
rsnapshot-discuss < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rsnapshot-discuss


------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
rsnapshot-discuss mailing list
rsnapshot-discuss < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rsnapshot-discuss

Dear Steffan,

My question must not have been very clear.

To set up the key-based ssh authentication for root was not my problem.
I did this and it worked just fine.
What I want is to restrict the key-based ssh acces to no less and no
more than just the
rsync command that rsnapshot invokes on the host which is to be backed up.

This way a compromised root login on the rsnapshot server does not
automatically compromise all the machines
for which key-based ssh acces for root is enabled.

So if my key in remote.host:~/.ssh/authorized_keys looks like this:

command="/bin/ls /home" ssh-dsa .....long key here... root < at > rsnapshot-server

the "ssh root < at > remote.host" command will give me back the listing of
/home on the remote.host but will not let me login. (Which is exactly
the behavior I want.)

So maybe if I repeat my question now its more clear what I have in mind:
What is the command that rsnapshot invokes on the machine that is to be
backed up?
Hopefuly I can take that command and add it as argument to the
particular key in the authorized_keys file and have a safer system from
there on.

thanks for your patience. -Ruedi



On 16.01.12 12:59, Steffan wrote:
See below:
master-node is the server with is holding your rsync
backup server is the server where you pull your data of


Key-based (passwordless) SSH authentication:
Step #1 Before you start make sure that the config file
'/etc/ssh/sshd_config' on the remote server where you want to store the
backups on has the line

PermitRootLogin yes
... in it. If it has not, change that line there and do not forget to
restart SSHd afterwards with this command:

/etc/init.d/sshd restart

Step #2 SSH to the master-node as user 'admin' and login with your admin
password.
Step #3 Run the command
su -
to gain superuser (root) access. Enter your admin password again.

Step #4 Run this command:
ssh-keygen -t rsa
When you do so, this tool will ask you three questions. Like where to store
the key and for the passphrase. just press the 'return' or 'enter' key three
times until you are back and the command prompt. Please follow this
instructions closely and do not enter a passphrase! Three times 'return' or
'enter' will do fine.

Step #5 Now run this command, but replace 'remote_host' with the hostname
of the server where you want to store the backups on:
scp ~/.ssh/id_rsa.pub root < at > remote_host:~/
That command will take the public RSA key which we just generated in Step #4
and will transfer it to the storage server.

Step #6 Now run this command, but replace 'remote_host' with the hostname
of the server where you want to store the backups on:
ssh root < at > remote_host
Enter the root password of the remote server and press 'enter'.

Step #7 Now run the following three commands:
cat id_rsa.pub>> .ssh/authorized_keys
rm id_rsa.pub
exit

Step #8 Now test if you can connect from the master-node to the backup
server without password - of course you again replace 'remote_host' with the
hostname of the backup server:
ssh root < at > remote_host

If it allows you to connect without password, then you are done. Just type
...
exit
... again to return to the master-node.

-----Oorspronkelijk bericht-----
Van: Rudolf Widmer-Schnidrig [mailto:widmer < at > geophys.uni-stuttgart.de]
Verzonden: maandag 16 januari 2012 11:18
Aan: rsnapshot-discuss < at > lists.sourceforge.net
Onderwerp: [rsnapshot-discuss] command for ssh public-key

Dear List,

I read through the archives and got confused...

My (hopefully) simple question is this:

What is the command that is being executed on my remote system "aetna"
if the output of
"rsnapshot -t hourly" is this:

/usr/bin/rsync -a --delete --numeric-ids --relative --delete-excluded \
--rsh=/usr/bin/ssh
--link-dest=/bfo_backups2/.snapshots/hourly.1/aetna/ \
root < at > aetna:/home /bfo_backups2/.snapshots/hourly.0/aetna/

My intention is to prepend my key in "authorized_keys" on aetna to make
the whole process safer.

command=" ??? " ssh-dsa .....long key here... root < at > rsnapshot-server

thanks for your help


-Ruedi



----------------------------------------------------------------------------
--
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
rsnapshot-discuss mailing list
rsnapshot-discuss < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rsnapshot-discuss


------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
rsnapshot-discuss mailing list
rsnapshot-discuss < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rsnapshot-discuss


------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
rsnapshot-discuss mailing list
rsnapshot-discuss < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rsnapshot-discuss

On 01/16/2012 05:52 AM, Rudolf Widmer-Schnidrig wrote:
What is the command that rsnapshot invokes on the machine that is to be
backed up?

The command is an rsync command with a varying set of options. The
exact options depend on your configuration. It will look something like
this:

rsync --server --sender -vlogDtpr --partial . [ARGS]

There is a utility included with the rsync docs called "rrsync".
It is a perl script wrapper that you can use to limit the options to a
certain sub-directory, or (more practically) to read-only backups, such
that the private key cannot be used to alter files on your main server.
Additionally, you will want to restrict the SSH key with some additional
options:

-- no-pty: Don't offer the user a psuedo terminal. This adds a layer
against shell logins.
-- no-agent-forwarding: Don't let an attacker use their own agent.
(Doesn't really add much here.)
-- no-X11-forwarding: Prevents X11 apps. Just another extra layer to
reduce attack vectors.
-- no-port-forwarding: Do not allow SSH tunnels using this key.
-- command="/root/rrsync -ro /" : This forces the script to run on
login, with the -ro "read-only" option

I give a full tutorial on how to set up a private key for use with
rrsync and restricted SSH on my website:

http://derek.simkowiak.net/backing-up-multiple-servers-with-rsnapshot/

This example will allow your SSH key to be used for read-only
backups, as root (so you can preserve all UIDs, GIDs, and permissions).
But the key will not have shell access or any other access beyond
rsync-based reads.


Thank You,
Derek

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
rsnapshot-discuss mailing list
rsnapshot-discuss < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rsnapshot-discuss

2012/1/17 Derek Simkowiak <derek < at > simkowiak.net>:
    This example will allow your SSH key to be used for read-only
backups, as root (so you can preserve all UIDs, GIDs, and permissions).
But the key will not have shell access or any other access beyond
rsync-based reads.

I add an additional layer of security by using not root, but a special
account and using sudo in rrsync (with NOPASSWD).

Best
Martin

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
rsnapshot-discuss mailing list
rsnapshot-discuss < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rsnapshot-discuss

I add an additional layer of security by using not root, but a special
account and using sudo in rrsync (with NOPASSWD).


How do you configure this? Do you put the sudo command in
rsnapshot.conf? Or in the "command=..." option in authorized_keys? Or
does your "command=..." wrapper script internally invoke sudo?

At one point I used a configuration that was very secure, but not
very user friendly. I closed off OpenSSH on the main hosts (the ones
being backed up) altogether. Instead of using cron on the backup
server, I would invoke a cron job on the main host. It would then
connect to the backup server, and set up a reverse tunnel back to itself
on port 22. At that point the backup server, and only the backup
server, could connect via ssh using this new tunnel. Then it would
invoke rsnapshot normally over the tunnel. (I think I also used sudo...
it's been a few years.)

The advantage was that the main host was not even accessible from
the outside network. Even if the backup server was compromised, the SSH
key was unusable thanks to the firewall. But it was a non-standard
configuration that took a long time to set up, test, and and document.
Doing SSH key management was also harder, and the dual-ssh tunnel
severely reduced file transfer performance. So I went with the simpler
configuration documented on my website. By simply firewalling incoming
SSH to a particular remote IP address, I have roughly the same level of
security. (And one simple firewall rule is a lot easier to document
than a configuration that differs from all the Rsnapshot documentation.)

It's like the old adage says... Security is inversely proportional
to usability. Even for admins.


--Derek

On 01/16/2012 04:25 PM, Martin Schröder wrote:
2012/1/17 Derek Simkowiak<derek < at > simkowiak.net>:
This example will allow your SSH key to be used for read-only
backups, as root (so you can preserve all UIDs, GIDs, and permissions).
But the key will not have shell access or any other access beyond
rsync-based reads.
I add an additional layer of security by using not root, but a special
account and using sudo in rrsync (with NOPASSWD).

Best
Martin

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
rsnapshot-discuss mailing list
rsnapshot-discuss < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rsnapshot-discuss


------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
rsnapshot-discuss mailing list
rsnapshot-discuss < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rsnapshot-discuss

2012/1/17 Derek Simkowiak <derek < at > simkowiak.net>:
 I add an additional layer of security by using not root, but a special
 account and using sudo in rrsync (with NOPASSWD).

    How do you configure this?  Do you put the sudo command in
rsnapshot.conf?  Or in the "command=..." option in authorized_keys?  Or
does your "command=..." wrapper script internally invoke sudo?

In the rrsync script.
---------------------------
#!/usr/bin/env bash
case "$SSH_ORIGINAL_COMMAND" in
*"rsync --server --sender"*)
logger -t rrsync "$SSH_ORIGINAL_COMMAND"
sudo $SSH_ORIGINAL_COMMAND
;;
*)
echo "Sorry, command rejected"
exit 1
;;
esac
---------------------------

Best
Martin

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
rsnapshot-discuss mailing list
rsnapshot-discuss < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rsnapshot-discuss