Re: [rdiff-backup-users] Security problem with rdiff over ssh?

[Matthew Miller]

On Thu, May 27, 2010 at 06:00:54PM -0400, feffer wrote:
> I'm running rdiff-backup over ssh with an unattended cron script using an
> ssh key-pair proceedure described here
> (http://arctic.org/~dean/rdiff-backup/unattended.html). My script works
> fine, but I'm wondering about security. It is generally considered a bad
> idea to allow root login to ssh, but I cannot preserve ownership and
> permissions if I disallow root login.

You don't need root on the remote side, just on the local side. The files
will be stored on the remote filesyste with whatever user you connect as
("rbackup", say), but rdiff-backup stores the file ownership and other
metadata seperately. (One of the nice features of the program.)

> Is this really a problem since my machines are behind a router on my LAN?
> The ssh key-pairs are not password protected, but isn't the only real
> security threat losing the private key?

That's the main threat, yeah. Another one is that by having it exposed at
all, you're vulnerable to potential unknown security holes in SSH.

You can protect against the latter by using restrictive packet-filtering
rules -- only allow ssh port connections from the machines you expect.

And you can tighten the former by restricting where the private key can be
used from and what command it can run, using from='host' and
command='rdiff-backup' on the remote system. That way, if someone does steal
the key, all that can be done is rdiff-backup.

(This is a good idea whether or not you run as root remotely.)


-- 
Matthew Miller           address@hidden          <http://mattdm.org/>