[clue-tech] sshd authorization strategies
Angelo Bertolli
angelo at freeshell.org
Thu Sep 13 07:41:30 MDT 2007
Jed S. Baer wrote:
> On Wed, 12 Sep 2007 10:47:13 -0600
> Dan Harris wrote:
>
>
>> The sticky part of the problem is that I also have a
>> "backup server" that connects via ssh ( as root, by RSA key
>> authentication only ) to backup files over the network. The backup
>> server is not Internet-facing.
>>
>
> What software are you using for backups?
>
> I do nightly rsync backup from the CLUE server to my home machine.
>
> The CLUE server doesn't allow remote root logins at all, but I need the rsync process there to be able to read all files.
>
> So, I created a jbaer_rsync account. That account has sudo to kick off rsync. It's restricted to doing only that, by restricting it's command via the .ssh/authorized_keys file. So, as root on my home machine, I generated an ssh key pair, then uploaded the public key to that file. My root cron job that kicks off rsync logs in as jbaer_rsync using the ssh key.
>
> Here's the first bit of authorized_keys:
>
> command="/usr/local/bin/rsync_wrapper.sh" ssh-dss AAAAB3NzaC1kc3MAAAEBAKNT
>
> The command option forces that command to run. That shell script uses sudo to kick off rsync on the CLUE server.
>
That is an excellent way of doing things, and a great suggestion.
Thanks for sharing that one.
Angelo
More information about the clue-tech
mailing list