Re: [rdiff-backup-users] Post-setup questions

[David Precious]

On Friday 19 August 2011 07:45:31 Nicolas Jungers wrote:
> > You can disallow root logins using password authentication, and set
> > PermitRootLogin without-password in /etc/ssh/sshd_config. That would
> > be secure against any dictionary attack launched against the root
> > account. 
[...]
> There is a third solution, designed specifically for that kind of
> problem.  You can put a command= option in front of your key in the 
> authorized_keys file to restrict the usage of the key to a specific [set 
> of] command. See AUTHORIZED_KEYS FILE FORMAT in "man sshd".


This is the approach I used - I set PermitRootLogin forced-commands-only in 
/etc/ssh/sshd_config, and set up the public key used by the backup server to 
pull backups in /root/.ssh/authorized_keys on the machines to be backed up to 
force rdiff-backup to run (with read-only access), and only to be accepted 
from the IP of the backup server.

It still means that, if the backup server was compromised, the keys on it 
could be used to get read-only access of files on the systems that are backed 
up by it - but, if the backup server is compromised, the data from those 
systems which is on the backup server is already accessible to the attacker 
and should be considered compromised anyway.

On the other hand, if one of the systems that are being backed up is 
compromised (rather more likely, being laptops / workstations), they cannot 
access the backup server.

I documented my setup on my blog, hopefully it may be of use:

http://www.preshweb.co.uk/2011/04/incremental-backups-with-rdiff-backup/

I think this is a reasonable approach, as long as good effort is taken to 
ensure the backup server remains secure.


-- 
David Precious  ("bigpresh")
http://www.preshweb.co.uk/

   "Programming is like sex. One mistake and you have to support
   it for the rest of your life". (Michael Sinz)