What: Performing regular unattended backups using rsync and ssh without leaving an ssh key about that could be used to compromise the machine.
Steps:
from="10.20.30.40",command="/usr/local/sbin/ssh_command_allow_rsync",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AA...= backup_keywhere 10.20.30.40 is the IP that the backup logins will be originating from.
#!/bin/sh # When used as the 'command' option in an authorized_keys file, this script # permits only rsync backups to occur. case $SSH_ORIGINAL_COMMAND in rsync\ --server\ --sender\ *) logger -p auth.notice "rsync/ssh backup: $SSH_ORIGINAL_COMMAND" exec $SSH_ORIGINAL_COMMAND ;; *) logger -p auth.alert "unexpected use of backup key: $SSH_ORIGINAL_COMMAND" ;; esac echo "Sorry, that command is not allowed." 1>&2 exit 1
This lets the backup key only run rsync in server mode. As far as I know, this means that – short of finding a buffer overflow in rsync – logins with this ssh key will only be able to read files, and not be able to change anything. Though if anybody can find any flaws in this scheme, please let me know!
Thanks to Cameron Patrick for this advice!
dagobah@ucc