[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [rdiff-backup-users] Security problem with rdiff over ssh?

From: Jakob Unterwurzacher
Subject: Re: [rdiff-backup-users] Security problem with rdiff over ssh?
Date: Sat, 29 May 2010 01:43:13 +0200
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20100423 Thunderbird/3.0.4

On 28/05/10 01:23, Aneurin Price wrote:
> On Thu, May 27, 2010 at 23:00, feffer
> <address@hidden> wrote:
>> I'm running rdiff-backup over ssh with an unattended cron script using an 
>> ssh key-pair proceedure described here 
>> (http://arctic.org/~dean/rdiff-backup/unattended.html). My script works 
>> fine, but I'm wondering about security. It is generally considered a bad 
>> idea to allow root login to ssh, but I cannot preserve ownership and 
>> permissions if I disallow root login.
>> Is this really a problem since my machines are behind a router on my LAN? 
>> The ssh key-pairs are not password protected, but isn't the only real 
>> security threat losing the private key?

Unless you lose the private key, this is secure. But double-check that
root can login *only* using the key
 PermitRootLogin without-password
or even
 PermitRootLogin forced-commands-only
in sshd_config, more info: http://linux.die.net/man/5/sshd_config )

>> Is there a way to lock this down a bit more while still enabling unattended 
>> backups?
> Do you really need the permissions on the server to be set correctly,
> rather than simply when you restore? If not, I thought rdiff-backup
> could save and restore permissions separately from the files in
> question, allowing you to record them without needing to be root.

While it is true that rdiff-backup will save the metadata somewhere else
then, this means that you cannot restore by simply copying the files.
This means if your rdiff-backup-data folder is corrupt (happens!), you
are screwed. I'd recommend running as root on the destination server.

> Alternatively you could use metastore
> (http://david.hardeman.nu/software.php) which can save file metadata
> to a file, allowing you to restore it at a later date.
> Both of these still require root privileges on the client machine when
> backing up (unless everything is world-readable) and when restoring in
> order to reset the permissions, but not on the destination machine.
> Nye
> _______________________________________________
> rdiff-backup-users mailing list at address@hidden
> http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
> Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki

reply via email to

[Prev in Thread] Current Thread [Next in Thread]