Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If server B gets cracked and the intruders find the keys to A, then they can get into A with whatever permissions you have granted the account that uses the keys. So at the minimum it is a good idea to restrict what the keys can do. See "command=" in the manual page for sshd(8) Better, would be to also use a proper passphrase on the key. You can use an agent on B to hold the key and have the cron script access the agent. Then you have to enter the passphrase only when B gets rebooted, at least in theory.
chroot with rsync might be quite hard. However, you can lock the keys down quite a bit. If you are doing the exact same rsync command each and every time, rsync's options can be made part of the public key over on the destination (A) . Then if the source machine (B) gets cracked, all the intruders could do would be to make an new transfer.
echo "All done with Backup to `hostname` on `date`" |mailx -s "Backup finished to `hostname`" myemail@address.com &
=======================
Things in place already:
1. user on Server B has one 5 minute window to make the connection per week on Server A.
2. I thought about this but do not know if it is a good or very bad idea. Move the Keys on Server B to a non-shell account once the 5 minute window is up ????
Last edited by HardenedCriminal; 06-27-2015 at 02:07 PM.
Then on the server in the authorized_keys file, you can preface your key with command="..." something approximately like this, but with your own public key:
And since you are using root you should have PermitRootLogin without-password or PermitRootLogin forced-commands-only It would be best if you could do without root on the remote machine and use a normal user there.
I really wish when Linux programs are done they would update the "man pages" later. Like I saw in a post --time-limit but not anything in the man pages for rsync; as of yet I have not tried it.
I saw the command at "rsync.samba.org" but had no idea how to do the "command" line goo. They lost me in the following discussion.
Thanks I am trying now.
These are HOME directories so either ROOT or a user that is chown user.root; neither of them do I really want to add access on either server but this is a much lesser evil than hoping users will ever back up anything even once in a very long time.
Your distro might have 'timeout' which would be used in front of the program to be timed. It will kill the process with a TERM signal if it is still running when the time runs out.
Did you set PermitRootLogin forced-commands-only in sshd_config on machine A?
You should then still be able to ssh in as a regular user but not as root unless the command is set inside authorized_keys.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.