Some tips on doing secure backups via ssh

2021-04-08 23:41:14 +02:00 · 2021-04-08 23:41:14 +02:00 · 341e713f8a
commit 341e713f8a
parent 1e4745e76f
1 changed files with 12 additions and 0 deletions
--- a/12
+++ b/12
@ -856,6 +856,18 @@ ssh:
            ssh-keygen -t ed25519 -a 100
        Good ol' RSA, with 4096 bits for good measure
            ssh-keygen -t rsa -b 4096 -o -a 100
+    Restricted access for backups:
+        Create system user with no password, give it a HOME and a group (or use a backup group)
+        Prepend key in .ssh/authorized_keys with
+            command="scp -f /path/to/<file|wildcard>",no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-rsa AAAAB[...]
+        Setup rssh
+            pacman -S rssh
+            # Access bits order: rsync, rdist, cvs, sftp, scp, svnserve
+            echo "user=<backup user>:<umask>:000010:" >> /etc/rssh.conf
+            sudo chsh -s /usr/bin/rssh <backup user>
+    Fix key auth:
+        chmod 700 ~/.ssh/
+        chmod 600 ~/.ssh/authorized_keys

 Run MSVC on linux with Wine:
    As seen on the internet, not tested: