From 341e713f8a1f79f18b128805b8ed727dfa34441a Mon Sep 17 00:00:00 2001
From: lhark <lhark@lharktop>
Date: Thu, 8 Apr 2021 23:41:14 +0200
Subject: [PATCH] Some tips on doing secure backups via ssh

---
 how_to | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/how_to b/how_to
index b49579f..47c4741 100644
--- a/how_to
+++ b/how_to
@@ -856,6 +856,18 @@ ssh:
             ssh-keygen -t ed25519 -a 100
         Good ol' RSA, with 4096 bits for good measure
             ssh-keygen -t rsa -b 4096 -o -a 100
+    Restricted access for backups:
+        Create system user with no password, give it a HOME and a group (or use a backup group)
+        Prepend key in .ssh/authorized_keys with
+            command="scp -f /path/to/<file|wildcard>",no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-rsa AAAAB[...]
+        Setup rssh
+            pacman -S rssh
+            # Access bits order: rsync, rdist, cvs, sftp, scp, svnserve
+            echo "user=<backup user>:<umask>:000010:" >> /etc/rssh.conf
+            sudo chsh -s /usr/bin/rssh <backup user>
+    Fix key auth:
+        chmod 700 ~/.ssh/
+        chmod 600 ~/.ssh/authorized_keys
 
 Run MSVC on linux with Wine:
     As seen on the internet, not tested: