On 14/03/2015 22:08, Angus Kerr wrote:
Hi
I really struggled to get this working. I thought it might be a
good idea to update the section.
I've edited the ssh section to tailor it specifically to cater for
an unprivileged user 'backuppc'
As root use visudo to create a sudoers file for backuppc, but with
permissions only to run rsync.
visudo -f /etc/sudoers.d/backuppc
Copy the following text in the file and save it
#Sudoers file for backuppc user to run rsync
backuppc ALL=NOPASSWD: /usr/bin/rsync
Note that this will give the user root access easily enough. The
user could create the file they want in /tmp, and then use sudo
rsync to overwrite the target file (or copy a file they don't have
read access to a location they do have access, including another
machine). Therefore, this entire process is hardly worth the effort
and additional complexity IMHO.
touch /home/backuppc/.ssh/authorized_keys2
cat BackupPC_id_rsa.pub >> /home/backuppc/authorized_keys2
Why touch the file when the next command will create it anyway (if
it didn't exist)? BTW, on every system I've seen, the file should be
called authorized_keys without the 2 on the end.
You
need to place each client's public key into backuppc's ~/.ssh/known_hosts file, otherwise you
will get a
Host key verification failed.
- error, and backuppc will not
be able to log into the client. To place the client key into
the
~/.ssh/known_hosts file, you
need to do this (make sure ~/.ssh/client_id_rsa.pub
is the client's public key, which needs to be copied from the
client):
- As user backuppc
touch ~/.ssh/known_hosts
cat ~/.ssh/Fred-pc_rsa.pub >> ~/.ssh/known_hosts
- Repeat this step to add each
client's key i.e. Mary-pc_rsa.pub and whatever the other keys
are named.
You might be prompted the first time to accept the client's host
key and you might be prompted for backuppc's password on the
client. Make sure that this command runs cleanly with no prompts
after the first time. You might need to check /etc/hosts.equiv on the client. Look at
the man pages for more information. The -v
option to ssh is a good way to get detailed information about what
fails.
If you added the key to the known_hosts file, then you wouldn't get
prompted to accept the hosts key. If you are going to manually
test/accept the key, then you may as well not waste time messing
around with it in the first place.
The above configuration means that the only command that
backuppc can run is rsync.
Until they use rsync to replace the /etc/sudoers file with whatever
they want....
BTW, thank you for the write up, I'm sure it will be useful and
helpful for many people, just pointing out that additional obscurity
doesn't necessarily mean it is more secure.
Regards,
Adam
|
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/ _______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
|