Shared Key Security?
I set up shared keys (no passphrase for cron automation) on 2 servers to backup home directories from one to the other.
Server A is the backup storage. Server B is the sender of of the files to Server A. My question is: IF Server B is hacked, what are the security issues to Server A? Thanks to all in advance. |
If server B gets cracked and the intruders find the keys to A, then they can get into A with whatever permissions you have granted the account that uses the keys. So at the minimum it is a good idea to restrict what the keys can do. See "command=" in the manual page for sshd(8) Better, would be to also use a proper passphrase on the key. You can use an agent on B to hold the key and have the cron script access the agent. Then you have to enter the passphrase only when B gets rebooted, at least in theory.
|
I have never been able to get rsync to run between "chroot jailed" users. That would help a lot.
|
chroot with rsync might be quite hard. However, you can lock the keys down quite a bit. If you are doing the exact same rsync command each and every time, rsync's options can be made part of the public key over on the destination (A) . Then if the source machine (B) gets cracked, all the intruders could do would be to make an new transfer.
|
The rsync command is always the same; /usr/bin/backup
With my limited Linux abilities, I have NO clue how to do what you just said. the rsync command is this cron jobbed (I hope; it worked manually last night.): #!/bin/bash rsync -avz -e ssh /home/* root@00.00.00.00:/home/backup echo "All done with Backup to `hostname` on `date`" |mailx -s "Backup finished to `hostname`" myemail@address.com & ======================= Things in place already: 1. user on Server B has one 5 minute window to make the connection per week on Server A. 2. I thought about this but do not know if it is a good or very bad idea. Move the Keys on Server B to a non-shell account once the 5 minute window is up ???? |
If you have this:
Code:
rsync -avz -e ssh /home/* root@aa.bb.cc.dd:/home/backup/ Code:
rsync -avz -e "ssh -v" /home/* root@aa.bb.cc.dd:/home/backup/ Code:
debug1: Sending command: rsync --server -logDtprze.iLs . /home/backup/ Code:
command="/usr/bin/rsync --server -logDtprze.iLs . /home/backup/" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/ez/409gxNehfcNV5Bsz... |
I really wish when Linux programs are done they would update the "man pages" later. Like I saw in a post --time-limit but not anything in the man pages for rsync; as of yet I have not tried it.
I saw the command at "rsync.samba.org" but had no idea how to do the "command" line goo. They lost me in the following discussion. Thanks I am trying now. These are HOME directories so either ROOT or a user that is chown user.root; neither of them do I really want to add access on either server but this is a much lesser evil than hoping users will ever back up anything even once in a very long time. |
Your distro might have 'timeout' which would be used in front of the program to be timed. It will kill the process with a TERM signal if it is still running when the time runs out.
Code:
timeout 20m rsync -avz -e 'ssh -i ... |
We are getting there but NOT there yet.
I put in the "command=" line and it works great... to stop ssh to 00.00.00.00 but if I ssh to hostname.com (server A) I can get right on in. |
Yes thank you.
TIMEOUT is there. |
Did you set PermitRootLogin forced-commands-only in sshd_config on machine A?
You should then still be able to ssh in as a regular user but not as root unless the command is set inside authorized_keys. |
Yes. It is there but when I saw this:
Are you sure you want to continue connecting (yes/no)? yes I didn't go the rest of the way to find a black hole. |
I am still going to do my 5 minute interval but this "command=" is great!!
Now if someone could update the documentation in at rsync.samba.org. |
I will add this for those who have different SSH port settings:
# Remember HOST & PORT setting in /etc/ssh/ssh_config on Server A (host) # Host 00.00.00.00 # Port = 000 |
All times are GMT -5. The time now is 06:19 PM. |