1
0
Fork 0
mirror of https://github.com/borgbackup/borg.git synced 2024-12-24 08:45:13 +00:00

Describe performing pull-backups via ssh remote forwarding

This commit is contained in:
Dominik Stadler 2023-04-02 10:46:31 +02:00
parent dfef2b9092
commit 4216dfd12d

View file

@ -422,3 +422,61 @@ Parentheses are not needed when using a dedicated bash process.
``kill "${SSH_AGENT_PID}"``
Kill ssh-agent with loaded keys when it is not needed anymore.
Remote forwarding
=================
The ssh client allows to create tunnels to forward local ports to a remote server and also to allow remote ports to
be forwarded to local ports.borg
This remote forwarding can be used to allow remote backup clients to access the backup server even if the backup server
usually cannot be reached by the backup client.
This can even be used in cases where neither the backup server can reach the backup client and the backup client cannot
reach the backup server, but some intermediate host can access both.
A schematic approach is as follows
::
Backup Server (backup@mybackup) Intermediate Machine (john@myinter) Backup Client (bob@myclient)
1. Establish SSH remote forwarding -----------> SSH listen on local port
2. Starting borg create establishes
3. SSH forwards to intermediate machine <------- SSH connection to the local port
4. Receives backup connection <------- and further on to backup server
via SSH
So for the backup client the backup is done via SSH to a local port and for the backup server there is a normal backup
performed via ssh.
In order to achieve this, the following commands can be used to create the remote port forwarding:
1. On machine `myinter`
``ssh bob@myclient -v -C -R 8022:myclient:22 -N``
This will listen for ssh-connections on port `8022` on `myclient`.
2. On machine `myclient`
``borg create -v --progress --stats ssh://backup@localhost:8022/home/backup/repos/dogado /``
Make sure to use port `8022` and `localhost` for the repository as this instructs borg on `myclient` to use the
remote forwarded ssh connection.
SSH Keys
~~~~~~~~
If you want to automate backups when using this method, the ssh `known_hosts` and `authorized_keys` need to be set up
to allow connections.
Security Considerations
~~~~~~~~~~~~~~~~~~~~~~~
Opening up SSH access this way can pose a security risk as it effectively opens remote access to your
backup server on the client even if it is located outside of your company network.
All the additional security considerations for borg should be applied, see :ref:`central-backup-server` for some additional
hints.