Quentin Hartman wrote: > I know Keith doesn't like them, but I prefer to have my backups run > via push, rather than pull. I prefer this because I can have the > backup job run as a privileged user (necessary to read all the files) > locally but then connect to the backup server as a normal user. This > means I don't have the potential exposure of allowing remote > root-level logins on my servers, or having passwordless keys for root > running around. I think this is a good thing. It makes key management > a bit more secure and sane (imho).
Here's another way to harden pulls: use PermitRootLogin forced-commands-only in your sshd_config. This means that for root, only pubkey logins are allowed, but furthermore, only pubkey logins that have command="" forced in authorized_keys. So, you create a passwordless key, yes, but force the only command that is run when that key is used to be `rsync --server'. This page [1] goes even further and has a middle-man script to check to make sure the person isn't trying to pass shell commands (at least, I think that's what his validate-rsync is doing from a cursory glance). It's also good to restrict the connecting host using from="" in authorized keys (they hide those options in the man page for sshd). One way I've done user-initiated pushes before when I had to (a laptop that wasn't online all the time). Have a passworded root key on the local machine. Using a ssh agent, make an ssh connection to the dirvish server with agent forwarding enabled, and inside that connection initiate the pull. It'll see the forwarded agent in the environment, and use that keystore to do the pull. At this point, depending on your agent, you'll be prompted for the password to your key. More of a client-initiated-pull than a push, but it works for some scenarios and avoids the passphraseless key. -Eric [1] http://troy.jdmz.net/rsync/index.html
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dirvish mailing list [email protected] http://www.dirvish.org/mailman/listinfo/dirvish
