[clue-tech] sshd authorization strategies
Jed S. Baer
cluemail-jsb at freedomsight.net
Wed Sep 12 18:51:25 MDT 2007
On Wed, 12 Sep 2007 10:47:13 -0600
Dan Harris wrote:
> The sticky part of the problem is that I also have a
> "backup server" that connects via ssh ( as root, by RSA key
> authentication only ) to backup files over the network. The backup
> server is not Internet-facing.
What software are you using for backups?
I do nightly rsync backup from the CLUE server to my home machine.
The CLUE server doesn't allow remote root logins at all, but I need the rsync process there to be able to read all files.
So, I created a jbaer_rsync account. That account has sudo to kick off rsync. It's restricted to doing only that, by restricting it's command via the .ssh/authorized_keys file. So, as root on my home machine, I generated an ssh key pair, then uploaded the public key to that file. My root cron job that kicks off rsync logs in as jbaer_rsync using the ssh key.
Here's the first bit of authorized_keys:
command="/usr/local/bin/rsync_wrapper.sh" ssh-dss AAAAB3NzaC1kc3MAAAEBAKNT
The command option forces that command to run. That shell script uses sudo to kick off rsync on the CLUE server.
So, in your situation, you maybe could create a backup user that you put in the group that you allow with allow_groups. You have no remote root logins allowed. You might have to dig a bit to come up with the command that your backup program invokes on the server.
YMMV; I have no idea if this'll work with backup software other than rsync.
jed
More information about the clue-tech
mailing list