Re: [rdiff-backup-users] Allowing only rdiff-backup across a connection,

rdiff-backup-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [rdiff-backup-users] Allowing only rdiff-backup across a connection,

From:	Gavin
Subject:	Re: [rdiff-backup-users] Allowing only rdiff-backup across a connection, how to set up?
Date:	Mon, 04 Jan 2010 18:12:50 +1000
User-agent:	Mozilla-Thunderbird 2.0.0.22 (X11/20090707)

Small correction,

Gavin wrote:

Hi Chris,

Sounds like you are on the right track.
ForceCommand may work, try it, some more thoughts bellow.

If you need more, I have an svnuser which allows multiple svnusers to
connect with keys.

Create a new user just for this one task.
You can have multiple keys with this method hence multiple clients.

Place (all on one line) something like this in
/home/svnuser/.ssh/authorized_keys:

command="svnserve -t -r /var/svnrepos/
--tunnel-user=svnuser",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty
ssh-dss KEY1

The above is on one line and the bellow would be on another line if you had a second client+key.

command="svnserve -t -r /var/svnrepos/
--tunnel-user=svnuser",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty
ssh-dss KEY2

In /etc/passwd limit the new user:
svnuser:x:1001:1001:,,,:/home/svnuser:/bin/rbash

mkdir /home/svnuser/usr/bin/
ln -s /usr/bin/rdiff-backup /home/svnuser/usr/bin/rdiff-backup

Check permissions:
ls -al /home/svnuser/.ssh/
total 12
drwx------ 2 svnuser svnuser 4096 2009-05-27 21:17 .
drwxr-xr-x 5 svnuser svnuser 4096 2009-06-06 00:18 ..
-rw-r----- 1 root    svnuser 2916 2009-08-09 16:35 authorized_keys
-rw-rw---- 1 svnuser svnuser    0 2009-03-19 21:41 known_hosts

Now that should be a very restricted user unless I have forgotten
something :-)

Cheers
Gavin

Chris G wrote:

If I want to allow *only* rdiff backup to use an ssh link between two
machines what's the best way of setting it up?

What I want to be able to do is set up a [relatively] insecure
passwordless ssh link, i.e. a private key at one end with no
passphrase, but make it fairly secure by only allowing rdiff-backup to
run across that connection.

If I simply put "ForceCommand rdiff-backup" at the ssh 'server' end
will it do what I want or do I need to put the exact rdiff-backup
remote end command there?  .... or is there a better/easier way to
achieve what I want to do?



_______________________________________________
rdiff-backup-users mailing list at address@hidden
http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [rdiff-backup-users] Allowing only rdiff-backup across a connection, how to set up?, Gavin <=

Prev by Date: Re: [rdiff-backup-users] Poor Restoration Performance
Next by Date: [rdiff-backup-users] Can one set up a login for rdiff-backup only (not via sshd_config)?
Previous by thread: Re: [rdiff-backup-users] how to shrink/purge/truncate the metadata file (and the file_statistics file)?
Next by thread: [rdiff-backup-users] Can one set up a login for rdiff-backup only (not via sshd_config)?
Index(es):
- Date
- Thread