I want to copy files from a BeagleBone Black (running Ubuntu) to my home dmz system. This has got to work unattended as the BBB is sat on our boat moored on the Somme. It's also got to be a 'push' from the BBB as it's connected via WiFi and while I can connect to it through an ssh tunnel copying files via that connection would be decidedly tricky.
So, as I see it, I have two obvious options:-
1 - Set up a public key login for the BBB on my dmz that requires no passphrase, so it's effectively passwordless. Then the BBB can run rsync to copy the files. The security hole in this approach is that if someone accessed the BBB then they could login to the dmz without further difficulty.
2 - Run an rsync daemon on the dmz and copy the files by connecting to this from the BBB. The advantage is that someone at the BBB end can't do anything but copy files (and I can limit what can be copied with the rsyncd configuration), the disadvantage is that the connection isn't encrypted at all.
There's nothing valuable in the files, they're just temperature and electrical measurements from the boat so I don't care at all about the files being visible to the world. My security concern is to minimise the risk of someone getting into my dmz system. OK, it's a dmz and it's just a Raspberry Pi so is hardly full of valuable data but it would be a nuisance and *might* be a jumping off place for further nefarious deeds.
I guess I'm being a bit paranoid really, the BBB on the boat is headless and anyone breaking into the boat is hardly likely to be an accomplished Linux hacker. Option 1 above is certainly the easiest as rsync daemon takes a bit of setting up. Are there any really obvious flaws - is it only really vulnerable to someone who accesses the BBB?
There is an option 3 but it's more difficult to set up, I could implement a passphraseless rsync connection from the BBB to the dmz that only allows rsync file copying to a specific directory. I've done this on one other system and it works pretty well (you do it by adding a command= at the front of the authorized_keys file) but like the rsync daemon it takes a bit of setting up and I'm wondering if it's worth the effort.
Any comments anyone? Are there more obvious and/or easier ways of copying files without making systems vulnerable to other attacks?