BackupPC-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[BackupPC-users] ssh into multiple users on one machine? / using authorized_keys options / IRC channel?

2008-04-07 12:35:53
Subject: [BackupPC-users] ssh into multiple users on one machine? / using authorized_keys options / IRC channel?
From: Axel Beckert <beckert AT phys.ethz DOT ch>
To: backuppc-users AT lists.sourceforge DOT net
Date: Mon, 7 Apr 2008 18:33:16 +0200 
Hi,

three things which I was thinking about recently:


First thing:

We're running a BackupPC server with several TB disk space for laptops
in our Department. As usual some users are more paranoid than
others...

The more paranoid users who just want their data backed up, not the
whole machine, won't give root permission to the backup server's ssh
key. So we ssh into the user whose home directory we want to back. No
problem so far.

But now I've got a few such boxes used by two or more persons (a
professor and his phd students) and all want their home directory
backed up, but they don't want to give out root login rights.

Has anyone done something similar already? The machines in question
currently are Macs with MacOS X (so we need to use tar), but we
probably also need to do this for Linux machines (preferably with
rsync).

Currently I have several ideas how to accomplish that:

+ An ssh wrapper which would execute the tar command on the computer
  one time for each user. Problem: Just simply concatenate the tar
  files won't work, you need to make one archive out of them.

+ Giving multiple DNS aliases to the computers in question and then
  seeing them als multiple hosts. (Hope, BackupPC doesn't several
  hosts having the same IP address.)

  There are two variants of this idea:

  - Using /etc/hosts of the BackupPC server. Wouldn't clutter the
    normal DNS, but you need to make all changes to DNS in the hosts
    file, too.

  - Using CNAME records in DNS. Would be visible for others. Only one
    place to do changes.

+ Creating a local user account on the client which has access to all
  home directories to backup, but not more. Sounds like a big mess (or
  at least a big effort) in regards to Unix file permissions.

I currently prefer the DNS alias method (don't know yet if via
/etc/hosts or normal DNS), but would be happy to hear from others with
similar situation what ideas (and perhaps solutions) they had.


Second thing:

One of our more paranoid users suggested an improvement which won't
help if the backup server itself would be compromised but will help if
the private key got outside the backup server somehow (and makes
administration harder, if the server changes):

Using options in the authorized_keys file can dyke a key-only
compromise: The line

from="server1.example.org" ssh-rsa AAAAB3...8z backuppc AT server1.example DOT 
org

would restrict the key to being used only by the host
server1.example.org. The given hostname must be the hostname in the
PTR record for the IP address the BackupPC server connects from. CNAME
records like e.g backuppc.example.org pointing to server1.example.org
won't work in most cases.

IMHO it wouldn't be bad if this could mentioned at
http://backuppc.sourceforge.net/faq/security.html#ssh_key_security

Second and a half thing: ;-)

I also played around a little bit with the command="..." option. It
looks like you could use it with something like 

command="tar `cat`" and then use it from BackupPC like this:

$Conf{TarClientCmd} = 'echo cpvf - -C $shareName+ --totals | $sshPath -q -x -n 
-l root $host $tarPath';

And even if it doesn't look very security-wise, I haven't managed to
exploit command="echo `cat`" -- every meta character (backtick,
backslash, dollar, semicolon, line break, exclamation mark) I tried
was output literally.

Haven't tested it yet though. And it probably won't work for any
command which uses both STDIN and STDOUT like e.g. rsync.


Third thing:

Is there no IRC channel for BackupPC users? I've looked in IRCnet,
Freenode and OFTC. ChanServ seems to know about #backuppc in Freenode,
but nobody was in there.

                Kind regards, Axel Beckert
-- 
Axel Beckert <beckert AT phys.ethz DOT ch>       support: +41 44 633 2668
IT Support Group, HPR E 86.1              voice:   +41 44 633 4189
Departement Physik, ETH Zurich            fax:     +41 44 633 1239
CH-8093 Zurich, Switzerland               http://nic.phys.ethz.ch/

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Register now and save $200. Hurry, offer ends at 11:59 p.m., 
Monday, April 7! Use priority code J8TLD2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List:    https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:    http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [BackupPC-users] Schedule Full backup, Hervé Richard
Next by Date:  Re: [BackupPC-users] ssh into multiple users on one machine? / using authorized_keys options / IRC channel?, Ryan Manikowski
Previous by Thread:  [BackupPC-users] no pool statistics since upgrade to 3.1.0, Tino Schwarze
Next by Thread:  Re: [BackupPC-users] ssh into multiple users on one machine? / using authorized_keys options / IRC channel?, Ryan Manikowski
Indexes:  [Date] [Thread] [Top] [All Lists]