[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [rdiff-backup-users] Clarification of --restrict-update-only
|
From: |
John covici |
|
Subject: |
Re: [rdiff-backup-users] Clarification of --restrict-update-only |
|
Date: |
Wed, 4 Feb 2009 15:33:05 -0500 |
But you could do the same thing on your client so no one could ever
log in to root unless they had a public key on your client.
on Wednesday 02/04/2009 Chris G(address@hidden) wrote
> On Wed, Feb 04, 2009 at 01:52:32PM -0500, John covici wrote:
> > on Wednesday 02/04/2009 Chris G(address@hidden) wrote
> > > I'm using rdiff-backup to backup files across a LAN. The destination
> > > machine has a dedicated backup account which has passwordless ssh
> > > login set up for client machines that want to do backups.
> > >
> > > To make things a bit more secure I have added the following to my
> > > sshd_config on the destination/backup machine:-
> > >
> > > Match User=bak
> > > ForceCommand rdiff-backup --server
> > >
> > > So far so good. I can backup as required but it's not possible to
> > > login to the bak account using ssh. I'd like to lock it down a bit
> > > further by using the --restrict-update-only option so that if an
> > > intruder did gain access to a client machine they wouldn't be able to
> > > remove anything useful from the backups by deleting or overwriting.
> > >
> > > However I'm not quite clear how --restrict-update-only works, can I
> > > just do something like:-
> > >
> > > Match User=bak
> > > ForceCommand rdiff-backup --server --restrict-update-only /
> > >
> > > and thus prevent anything other than updates for *all* backups?
> > >
> >
> > Why don't you just have in your sshd config
> > PermitRootLogin without-password
> >
> > and have a public key of your client in the
> > /root/.ssh/authorized_hosts on the server. I don't think the
> > restrict-update is very secure anyway, but this works well.
> >
> That would permit exactly what I'm trying to avoid wouldn't it?
>
> If (heaven forbid) an intruder got root access to my machine (which is
> the backup client) then they would have free access to the backup
> machine as well. Thus a malicious intruder would be able to delete
> everything on my machine *and* on the backup machine as well.
>
> What I'm trying to do is have a backup which isn't trivially
> accessible from the client.
>
> --
> Chris Green
>
>
> _______________________________________________
> rdiff-backup-users mailing list at address@hidden
> http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
> Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki
--
Your life is like a penny. You're going to lose it. The question is:
How do
you spend it?
John Covici
address@hidden
- [rdiff-backup-users] Clarification of --restrict-update-only, Chris G, 2009/02/04
- [rdiff-backup-users] Clarification of --restrict-update-only, John covici, 2009/02/04
- Re: [rdiff-backup-users] Clarification of --restrict-update-only, Chris G, 2009/02/04
- Re: [rdiff-backup-users] Clarification of --restrict-update-only,
John covici <=
- Re: [rdiff-backup-users] Clarification of --restrict-update-only, Chris G, 2009/02/04
- Re: [rdiff-backup-users] Clarification of --restrict-update-only, Jakob Unterwurzacher, 2009/02/04
- Re: [rdiff-backup-users] Clarification of --restrict-update-only, Dimi Paun, 2009/02/04
- Re: [rdiff-backup-users] Clarification of --restrict-update-only, Chris G, 2009/02/05
- Re: [rdiff-backup-users] Clarification of --restrict-update-only, Chris G, 2009/02/05
- Re: [rdiff-backup-users] Clarification of --restrict-update-only, Dominic, 2009/02/05
- Re: [rdiff-backup-users] Clarification of --restrict-update-only, Chris G, 2009/02/05
- Re: [rdiff-backup-users] Clarification of --restrict-update-only, Dominic, 2009/02/05
- Re: [rdiff-backup-users] Clarification of --restrict-update-only, Dominic, 2009/02/05
- Re: [rdiff-backup-users] Clarification of --restrict-update-only, Andrew Ferguson, 2009/02/05