[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [rdiff-backup-users] Security problem with rdiff over ssh?
|
From: |
Jakob Unterwurzacher |
|
Subject: |
Re: [rdiff-backup-users] Security problem with rdiff over ssh? |
|
Date: |
Sat, 29 May 2010 01:43:13 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100423 Thunderbird/3.0.4 |
On 28/05/10 01:23, Aneurin Price wrote:
> On Thu, May 27, 2010 at 23:00, feffer
> <address@hidden> wrote:
>>
>> I'm running rdiff-backup over ssh with an unattended cron script using an
>> ssh key-pair proceedure described here
>> (http://arctic.org/~dean/rdiff-backup/unattended.html). My script works
>> fine, but I'm wondering about security. It is generally considered a bad
>> idea to allow root login to ssh, but I cannot preserve ownership and
>> permissions if I disallow root login.
>>
>> Is this really a problem since my machines are behind a router on my LAN?
>> The ssh key-pairs are not password protected, but isn't the only real
>> security threat losing the private key?
Unless you lose the private key, this is secure. But double-check that
root can login *only* using the key
(set
PermitRootLogin without-password
or even
PermitRootLogin forced-commands-only
in sshd_config, more info: http://linux.die.net/man/5/sshd_config )
>>
>> Is there a way to lock this down a bit more while still enabling unattended
>> backups?
>>
>
> Do you really need the permissions on the server to be set correctly,
> rather than simply when you restore? If not, I thought rdiff-backup
> could save and restore permissions separately from the files in
> question, allowing you to record them without needing to be root.
While it is true that rdiff-backup will save the metadata somewhere else
then, this means that you cannot restore by simply copying the files.
This means if your rdiff-backup-data folder is corrupt (happens!), you
are screwed. I'd recommend running as root on the destination server.
> Alternatively you could use metastore
> (http://david.hardeman.nu/software.php) which can save file metadata
> to a file, allowing you to restore it at a later date.
>
> Both of these still require root privileges on the client machine when
> backing up (unless everything is world-readable) and when restoring in
> order to reset the permissions, but not on the destination machine.
>
> Nye
>
> _______________________________________________
> rdiff-backup-users mailing list at address@hidden
> http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
> Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki
- [rdiff-backup-users] Security problem with rdiff over ssh?, feffer, 2010/05/27
- Re: [rdiff-backup-users] Security problem with rdiff over ssh?, Marian 'VooDooMan' Meravy, 2010/05/27
- Re: [rdiff-backup-users] Security problem with rdiff over ssh?, Aneurin Price, 2010/05/27
- Re: [rdiff-backup-users] Security problem with rdiff over ssh?,
Jakob Unterwurzacher <=
- Re: [rdiff-backup-users] Security problem with rdiff over ssh?, Matthew Miller, 2010/05/27
- Re: [rdiff-backup-users] Security problem with rdiff over ssh?, covici, 2010/05/27
- [rdiff-backup-users] Security problem with rdiff over ssh?, feffer, 2010/05/29