Securer backups with ssh and rsync

What: Performing regular unattended backups using rsync and ssh without leaving an ssh key about that could be used to compromise the machine.

Steps:

  1. Create an ssh key pair solely to be used for backups (using ssh-keygen).
  2. Copy the public key into the ~root/.ssh/authorized_keys file with some extra additions (all on one line, and with no spaces until ssh-rsa):
    from="10.20.30.40",command="/usr/local/sbin/ssh_command_allow_rsync",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AA...= backup_key
    where 10.20.30.40 is the IP that the backup logins will be originating from.
  3. Create the script /usr/local/sbin/ssh_command_allow_rync something like:
    #!/bin/sh
    
    # When used as the 'command' option in an authorized_keys file, this script
    # permits only rsync backups to occur.
    
    case $SSH_ORIGINAL_COMMAND in
        rsync\ --server\ --sender\ *)
            logger -p auth.notice "rsync/ssh backup: $SSH_ORIGINAL_COMMAND"
            exec $SSH_ORIGINAL_COMMAND
            ;;
        *)  
            logger -p auth.alert "unexpected use of backup key: $SSH_ORIGINAL_COMMAND"
            ;;
    esac
    
    echo "Sorry, that command is not allowed." 1>&2
    exit 1
    

This lets the backup key only run rsync in server mode. As far as I know, this means that – short of finding a buffer overflow in rsync – logins with this ssh key will only be able to read files, and not be able to change anything. Though if anybody can find any flaws in this scheme, please let me know!

Thanks to Cameron Patrick for this advice!

dagobah@ucc