How can I restrict incoming root rsync over ssh to specified command?
From: mjcsfo (mjcsfo_at_yahoo.com)
Date: 02/04/04
- Previous message: Alex: "Re: Securing a Unix Server"
- Next in thread: Tim Haynes: "Re: How can I restrict incoming root rsync over ssh to specified command?"
- Reply: Tim Haynes: "Re: How can I restrict incoming root rsync over ssh to specified command?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 4 Feb 2004 14:50:50 -0800
I'm trying to setup a centralized backup server on RHEL 3.0, which
will use rsync over ssh to pull certain directories from the ssh
server/rsync source
to the ssh client/rsync destination. Here's an example of the command,
in a
script run via cron as root:
rsync --rsh="ssh -i /root/.ssh/rsync-id_rsa" \
-avR --stats --delete --max-delete=100 \
$HOST:/etc/ $CURR_DIR
$HOST would be static but $CURR_DIR would vary on each call - it
basically
contains a path containing the date and time, such as:
HOST=myserver
CURR_DIR=/var/spool/backups/$HOST/2004-02-04.18
for a backup run on Feb 4, 2004 at 6pm.
I've setup a non-password protected private key as noted above to
allow
non-interactive complete access to all files I want to backup. I'm
currently
using "PermitRootLogin without-password" in sshd_config and the
from="myclient", no-port-forwarding, no-X11-forwarding,
no-agent-forwarding,
no-pty options in authorized_keys to restrict how this key can be
used. But
this method would allow anyone who managed to obtain the private key
non-
password protected root access to all servers which are being backed
up with
this approach - hopfully without a terminal, but I don't know what
risks
there are in this technique.
I was hoping to use the command="command" option, but from the
description
in the man pages it seems like this wouldn't work, since it seems like
the
command must be static, any command I send is ignored, and I'm not
sure of
which command I'd run on the other end to implement the rsync
technique I
want to do in any case.
I did think potentially the remote command could use environment
variables
which I could set remotely via "PermitUserEnvironment yes" in
sshd_config,
hopefully thereby allowing the remote command to be static, but I
don't see
how this would work with rsync using ssh as an underlying transport.
Questions:
1. Does anyone think that the technique I'm using today is simply too
insecure? Even with the server locked up in a room with no user
access and running no daemons?
2. Is there a way to implement what I'm trying to do with rsync using
some variant of the command="" option to prevent any other use of
this non-password protected key?
Thanks in advance!
Mike
P.S. Please, no spam even though I'm posting through Google and can't
hide
my email address!
- Previous message: Alex: "Re: Securing a Unix Server"
- Next in thread: Tim Haynes: "Re: How can I restrict incoming root rsync over ssh to specified command?"
- Reply: Tim Haynes: "Re: How can I restrict incoming root rsync over ssh to specified command?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
