From: Oliver F. <Oli...@io...> - 2004-06-29 15:02:14
|
Hello, as the subject says, I'm trying to setup a client for BackupPC. I already have some linux clients that are working fine, the passwordless login with ssh (rsa keys etc.) works fine. The machine I try to setup is a linux machine that is also a mail server, with direct connection to the internet. So we have root logins disabled, as a further hurdle to take for an intruder. But, this breaks the key-authorization thing, so ssh will ask for a password, and obviously fail. Is there any way to do pubkey authorization for backuppc, but still have no root logins for other people? Maybe 2 sshd's running on that server, one listening on the outside port, with PermitRootLogin=no , and one on the inside with PermitRootLogin=yes. But that feels ugly... Or I try an rsyncd instead, and close that port to the outside world with iptables. Thnx for your help, Oliver |
From: Carl W. S. <ch...@re...> - 2004-06-29 16:23:24
|
On 06/29 05:02 , Oliver Freyd wrote: > Is there any way to do pubkey authorization for backuppc, but still have > no root logins for other people? create a separate user (perhaps 'pcbackup') which will be the login account, and actually run the rsync command. then add a line like this to your /etc/sudoers: # allow backup user to run rsync as root pcbackup ALL= NOPASSWD: /usr/bin/rsync add the appropriate entries to ~pcbackup/.ssh/authorized_keys: no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="sudo /usr/bin/rsync --server --sender -logDtpr --exclude='/proc' --exclude='/sys' --exclude='/tmp' --exclude='/mnt' --delete --numeric-ids --block-size=2048 . /" sort out the small oversights in my description here, and you should be good to go. :) -- Carl Soderstrom Systems Administrator Real-Time Enterprises www.real-time.com |
From: David R. <dr...@gr...> - 2004-06-29 17:13:00
|
Oliver Freyd wrote: > > Is there any way to do pubkey authorization for backuppc, but still hav= e > no root logins for other people? > > Maybe 2 sshd's running on that server, one listening on the outside > port, with PermitRootLogin=3Dno , and one on the inside with > PermitRootLogin=3Dyes. But that feels ugly... What I do is set PermitRootLogin without-password This way you can't log in with the root password, you can only log in wit= h permitted authentication keys. You can also then restrict the use of a key to only one host in ~root/.ssh/authorized_keys2 by prepending the key with from=3D"backuppc.host.name" -Dave |