Home / server / Questions / 258753
Accepted
Rich
Asked: 2011-04-13 05:49:39 +0800 CST

How can I use Dirvish without enabling root logins in sshd?

  • 772

I am configuring a backup server using Dirvish which will backup several Ubuntu servers over the Internet.

As part of our security policy, we don't allow ssh logins as root on our servers.

How can I use Dirvish to backup my servers, without logging in as root, and without providing the dirvish user with NOPASSWORD in sudoers?

The ideal solution should involve minimum configuration on the backed-up, target machines.

backup linux

5 Answers

  1. Best Answer

    For anyone looking here's the solution I went with.

    Key points:

    1. Dirvish doesn't support running rsync via sudo (Why, I do not know)

    2. In AUTHORIZED_KEYS you can restrict the conditions under which a key is authorized, including specifying a single permitted command, and a single source IP address.

    In sshd_config you can specify that ssh root login is only permitted when the -command flag is specified and the command matches the one in AUTHORIZED_KEYS

    PermitRootLogin forced-commands-only

    A full procedure is here: http://apt-get.dk/howto/backup/

    • 4

  2. You are on the right track with not allowing root logins via SSH. However your prerequisite about sudo is unreasonable.

    However, sudo allows very fine grained control over exactly what can and cannot be executed by a given user. You can allow the dirvish user to ONLY execute exactly one binary without a password.

    Combine this with key-based authentication for that user, and you have yourself a backup solution.

    • 2

  3. I am adding a second answer with a different solution in light of more details of the problem coming out. Apparently dirvish uses rsync on the backend, and @Rich is quite right to point out that allowing sudo access even just to that one command gives full control over the root file system.

    In light of this, I would suggest some work with user groups such that the user dirvish runs as has read access to the files needing to be backed up by virtue of being in the right user group. This way you can avoid having any root level vulnerabilities.

    • 0

  4. This is the full solution that I ended up with:

    In the /etc/ssh/sshd_config I only enabled restricted root login to the only one allowed remote address:

    PermitRootLogin no
Match Address 10.0.0.1
    PermitRootLogin forced-commands-only

    Change the IP address to your backup server's address.

    In the root's authorized keys file (/root/.ssh/authorized_keys) I allowed only the rsync command with the required parameters:

    command="rsync --server --sender -vlHogDtprxe.iLsfxCIvu --numeric-ids . /",from="10.0.0.1",no-port-forwarding,no-X11-forwarding,no-agent-forwarding [key-data

    Again, replace 10.0.0.1 with your backup server's address and add the public key of the backup server.

    • 0

  5. Would using the sshd flag "PermitRootLogin without-password" be an option? Then you could only login with the corresponding public key. For more security you could enable a second ssh server on another port and allow keyauth only there.

    • -1