On Thu, Feb 05, 2009 at 10:36:11AM +0000, Brett Parker wrote:
On 04 Feb 12:33, Chris G wrote:
On Wed, Feb 04, 2009 at 11:38:40AM +0000, Stuart Bailey wrote:
If you have shell access on your remote system, you could create a DSA or RSA key pair. Set the ssh config to access key based authentication, then you don't need to enter a password. Just keep your private key safe.
That doesn't help. To allow unattended backup to work the ssh keys have to have no key so an intruder on the client machine will have passwordless access to the remote machine.
Otherwise, there are some commercial offerings:
KeVault by KeConnect. This uses a Java app to backup your data (encrypted) onto their servers, which are diversely located. It runs automatically using their provided scheduler.
www.keconnect.co.uk/kevault
I still don't think it addresses the problem, unless it's an incremental backup. If someone breaks into 'my' machine (the machine being backed up) then they can send rubbish data to overwrite the good backups can't they? This is the specific possibility I'm trying to protect myself against a bit.
I'm *sure* that we went through this several months ago... care to go back through the archive and find the bit that says...
"Use a passphrase less key, and only grant it permissions to run the backups"
I'm slowly getting to where I want and these discussions *do* help me. OK, to some extent it's me "thinking aloud" but surely that's partly what this mailing list is for.
The system I have now is as follows:-
The garage (i.e. off-site) backup server has a dedicated account called 'bak' which I have set up to allow passwordless ssh login from the backup clients on the LAN. All other ways to access the garage machine need a password (or ssh key).
I have added the following to the bottom of my sshd config file on the garage backup server:-
Match User=bak ForceCommand rdiff-backup --server
This means that only the program rdiff-backup can be run via the passwordless ssh login.
It's not quite as good as a 'pull' backup as an intruder *could* do devious things with the rdiff-backup client and delete or overwrite the backups, but it's fairly unlikely. To make things even better I'm going to add a --restrict-update-only parameter to the ForceCommand, I haven't done it yet because I'm not absolutely sure how it works. I'm having a discussion about it on the rdiff-backup mailing list at this very moment.