After today’s Debian/Ubuntu OpenSSH fiasco I decided to tighten security in my backup system. I added a single-purpose SSH key which only allows access to rsync on the backup source hosts.
The main logic in the program is the same as my earlier attempt, although I added a check that the machine I am about to rsync from is the right one (this would fail due to ssh keys anyway). The ping check I previously did before starting a backup was insufficient if my laptop was on my home LAN, where NAT gave it the same IP address as my home gateway machine.
The other new part is the ssh authentication improvement. In order to use that, you need to create a single purpose ssh key on the backup server:
‘ssh-keygen -t dsa’ and save to $HOME/.ssh/rsyncThen edit the public part of the key (~/.ssh/rsync.pub) to limit the commands that can be run with this key. You would add this to the front of the key, with no spaces (the whole key should be on one line too):
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command=”/home/user/local/bin/secure-rsync.sh
This comes before the ssh-dss with a space before ssh-dss.
You will need to install this key in ~/.ssh/authorized_keys on the backup source machines, and also on those machines install the ‘secure-rsync’ wrapper. The secure rsync wrapper is from Barry O’Donovan, who has a thorough page explaining a very similar (but better!) backup system. The path in the public ssh key should correspond to this file. All this wrapper does is check that the command is a safe rsync command and start rsync:
#!/bin/sh case "$SSH_ORIGINAL_COMMAND" in *\&* | *\;* | *\|*) echo "Access denied" ;; rsync\ --server*) $SSH_ORIGINAL_COMMAND ;; hostname) $SSH_ORIGINAL_COMMAND ;; *) echo "Access denied" ;; esac
Then you can use the ‘mybackup’ script to run the backups, with a simple config file that is explained in the script comments.
One reply on “Rsync backups with secure ssh key”
I’m fairly certain this wrapper does nothing to help you with security since you can easily tell rsync to overwrite files because your wrapper isn’t checking if the –sender option is also being used.