Reasonably secure automated rsync backups

Posted by Graham Stratton Mon, 12 Feb 2007 15:13:30 GMT

Rsync is one of those wondrous unix utilities that it’s difficult to imagine a world without. Amongst many other uses, it’s a really good way to do daily backups.

Using SSH, rsync is secure too. But for automated access it’s a bit tricky. In order to do automated backups, one needs to set up some sort of passwordless login. This is done by generating an RSA key pair on machine A, and copying the public key to machine B. Now when A tries to log in to B, B has a way to test that A really is A. Cool. But that means that A being compromised leads trivally to B being compromised.

The solution is to limit the range of commands that A can execute on B using a particular SSH key. One can limit it to a single command by prefixing a line of authorized_keys like this:

command="/bin/echo You may not do anything useful"

Now whatever command is sent, this is the command that will be executed.

More about restricting SSH is available in chapter 8 of O’Reilly’s book at http://www.oreilly.com/catalog/sshtdg/chapter/ch08.html There are a number of other useful options such as no-port-forwarding, no-X11-forwarding, no-agent-forwarding and no-pty – don’t forget options should be separated by commas but no whitespace.

So it’s quite easy to ensure that only a single command is run. But it’s not so easy if you don’t know exactly what the command will be, as with rsync. In this case, the trick is to run a script which decides whether the original command is permissible. The requested command is available as the environment variable $SSH_ORIGINAL_COMMAND (or $SSH2_ORIGINAL_COMMAND if you’re using SSH2, I believe).

There is a useful script here: http://servers.linux.com/article.pl?sid=04/11/04/0346256 It checks that the command doesn’t contain ; or & characters (ie, there is only one command, and that it begins with ‘rsync—server’. If the command matches, it runs it, otherwise it rejects it. This means that you can’t do anything else with the key you are using for backups (which is good). But what if you want an SSH identity that you can use for manual logins, which is password protected and stored in your keychain? Easy enough, just create to RSA keys.

To specify which key ssh should use, use the -i option:

rsync -e "ssh -i .ssh/id_rsa_backup" --recursive -L /home/graham/tobackup/* back.up/server/

Posted in  | 4 comments

Fixing fonts

Posted by Graham Stratton Wed, 03 May 2006 14:07:00 GMT

After upgrading X to x.org 7.0, I found that some fonts which had previously been anti-aliased were no longer.

By running ‘dpkg-reconfigure fontconfig-config’ I restored my display to its former glory. Now all I need to do is to get suspend to work, and I won’t need a Mac.

Posted in ,  | 3 comments

debian keys

Posted by Graham Stratton Fri, 10 Feb 2006 14:53:00 GMT

I just installed kanotix 2005-4, but when I came to install some new packages, I got a warning saying that the packages cannot be authenticated.

A bit of googling suggested that I needed to update the debian keys. This should easily be done with ‘apt-key update’, but that returned an error saying:

ERROR: Can’t find the archive-keyring Is the debian-keyring package installed?

I installed the package, but the error remained. It seems this is a bug in debian. Changing

ARCHIVE_KEYRING=/usr/share/keyrings/debian-keyring.gpg

to

ARCHIVE_KEYRING=/usr/share/keyrings/debian-archive-keyring.gpg

in /usr/bin/apt-key line 12

allowed me to run ‘apt-key update’, which downloaded 903 keys but then hung. But apt-get update still reported

E: Some packages could not be authenticated

and apt-get install still gave the error

The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 010908312D230C5F

gpg—keyserver wwwkeys.eu.pgp.net—recv-keys 2D230C5F

fetches the relevant key successfully.

It should then be possible to it them to the keychain with

gpg—armor—export 2D230C5F | apt-key add -

but that command returns

gpg: no writable keyring found: eof gpg: error reading `-’: general error gpg: import from `-’ failed: general error

Eventually I realised that this is an environment issue. If I ran these commands as root instead of using sudo, the keys can be added.

Posted in ,  | 12 comments

Suspend to RAM on C840

Posted by Graham Stratton Sun, 22 Jan 2006 11:50:38 GMT

Someone has reported that the instructions at https://wiki.ubuntu.com/HoaryPM work for getting suspend to RAM to work on a Dell Latitude C840. I’ll try it with Breezy and report what happens.

Posted in ,  | 6 comments