From 3ba8c41e2fb8eaa14365386913b4e4019238cd5c Mon Sep 17 00:00:00 2001 From: Axel Burri Date: Sun, 21 Mar 2021 12:56:15 +0100 Subject: [PATCH] documentation: README.md: rephrase ssh setup - move ssh_filter_btrbk down - move "further considerations" to "restrict access" --- README.md | 66 +++++++++++++++++++++++++++++++------------------------ 1 file changed, 37 insertions(+), 29 deletions(-) diff --git a/README.md b/README.md index a172b9c..bcd43e5 100644 --- a/README.md +++ b/README.md @@ -435,46 +435,44 @@ Add your btrbk public key to "/root/.ssh/authorized_keys" on the server, and you are good to go. -### Restrict Commands with "ssh_filter_btrbk.sh" (optional) +### Restrict Access -Btrbk comes with a shell script "ssh_filter_btrbk.sh", which restricts -ssh access to sane calls to the "btrfs" command needed for snapshot -creation and send/receive operations (see [ssh_filter_btrbk(1)]). +Restrict ssh access to a static IP address within your network. On the +remote host, either add a "Match" block in: -Copy "ssh_filter_btrbk.sh" to "/backup/scripts/", and configure sshd -to run it whenever the key is used for authentication. Example -"/root/.ssh/authorized_keys": +/etc/ssh/sshd_config: - # example backup source (also allowing deletion of old snapshots) - command="/backup/scripts/ssh_filter_btrbk.sh -l --source --delete" ... + Match Address 192.168.0.42 - # example backup target (also allowing deletion of old snapshots) - command="/backup/scripts/ssh_filter_btrbk.sh -l --target --delete" ... +Or restrict in authorized_keys: - # example fetch-only backup source (snapshot_preserve_min=all, snapshot_create=no), - # restricted to subvolumes within /home or /data - command="/backup/scripts/ssh_filter_btrbk.sh -l --send -p /home -p /data" ... + from="192.168.0.42" ... + +Consult the [sshd_config(5)] man-page for a detailed explanation and +more options. -Dedicated Btrbk User Login --------------------------- +Dedicated Btrbk User Login (optional) +------------------------------------- -On the remote host, create a user / group dedicated to btrbk and add -the public key to "/home/btrbk/.ssh/authorized_keys". +If allowing root login is not an option for you, there are several +ways to restrict SSH access to a regular user. ### Option 1: Use sudo -On the client side, configure btrbk to call `btrfs` commands via sudo -on remote hosts. +On the client side, configure btrbk use the sudo backend. This changes +the ssh calls to btrfs commands to `sudo btrfs +`. /etc/btrbk/btrbk.conf: backend_remote btrfs-progs-sudo On the remote host, grant root permissions for the "btrfs" command -groups in "/etc/sudoers". Also add the `ssh_filter_btrbk.sh --sudo` -option if you chose to restrict ssh commands above. +groups (subcommands) in "/etc/sudoers". If you are using +[ssh_filter_btrbk(1)], also add the `ssh_filter_btrbk.sh --sudo` +option in "authorized_keys" (see below). ### Option 2: Use btrfs-progs-btrbk @@ -510,16 +508,26 @@ source", allow only the following binaries for the "btrbk" group: -rwx--x--- 1 root btrbk /usr/bin/btrfs-subvolume-snapshot -Further Considerations ----------------------- +Restrict Commands with "ssh_filter_btrbk.sh" (optional) +------------------------------------------------------- -You might also want to restrict ssh access to a static IP address -within your network: +Btrbk comes with a shell script "ssh_filter_btrbk.sh", which restricts +ssh access to sane calls to the "btrfs" command needed for snapshot +creation and send/receive operations (see [ssh_filter_btrbk(1)]). - from="192.168.0.42",command=... ... +Copy "ssh_filter_btrbk.sh" to "/backup/scripts/", and configure sshd +to run it whenever the key is used for authentication. Example +"/root/.ssh/authorized_keys": -For even more security, set up a chroot environment in -"/etc/ssh/sshd_config" (see [sshd_config(5)]). + # example backup source (also allowing deletion of old snapshots) + command="/backup/scripts/ssh_filter_btrbk.sh -l --source --delete" ... + + # example backup target (also allowing deletion of old snapshots) + command="/backup/scripts/ssh_filter_btrbk.sh -l --target --delete" ... + + # example fetch-only backup source (snapshot_preserve_min=all, snapshot_create=no), + # restricted to subvolumes within /home or /data + command="/backup/scripts/ssh_filter_btrbk.sh -l --send -p /home -p /data" ... [ssh_filter_btrbk(1)]: https://digint.ch/btrbk/doc/ssh_filter_btrbk.1.html