From 7851df089a62515b09b45c15d584be2ab9ea0dec Mon Sep 17 00:00:00 2001 From: Piotr Pawlow Date: Mon, 18 Jan 2016 14:35:11 +0100 Subject: [PATCH 1/3] Disable unneeded SSH features in authorized_keys example for security. --- docs/quickstart.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/quickstart.rst b/docs/quickstart.rst index 18457e9c7..ca7acc795 100644 --- a/docs/quickstart.rst +++ b/docs/quickstart.rst @@ -207,7 +207,7 @@ the remote server's authorized_keys file. Only the forced command will be run when the key authenticates a connection. This example will start |project_name| in server mode, and limit the |project_name| server to a specific filesystem path:: - command="borg serve --restrict-to-path /mnt/backup" ssh-rsa AAAAB3[...] + command="borg serve --restrict-to-path /mnt/backup",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc ssh-rsa AAAAB3[...] If it is not possible to install |project_name| on the remote host, it is still possible to use the remote host to store a repository by From a3fa965ded378706a20babf9a328f6ccc3acad6b Mon Sep 17 00:00:00 2001 From: Piotr Pawlow Date: Mon, 18 Jan 2016 18:39:11 +0100 Subject: [PATCH 2/3] Added no-agent-forwarding,no-user-rc to SSH key options. --- docs/deployment.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/deployment.rst b/docs/deployment.rst index bd69f943f..cffb0831b 100644 --- a/docs/deployment.rst +++ b/docs/deployment.rst @@ -62,7 +62,8 @@ forced command and restrictions applied as shown below: command="cd /home/backup/repos/; borg serve --restrict-path /home/backup/repos/", - no-port-forwarding,no-X11-forwarding,no-pty + no-port-forwarding,no-X11-forwarding,no-pty, + no-agent-forwarding,no-user-rc .. note:: The text shown above needs to be written on a single line! @@ -141,7 +142,7 @@ package manager to install and keep borg up-to-date. - file: path="{{ pool }}" owner="{{ user }}" group="{{ group }}" mode=0700 state=directory - authorized_key: user="{{ user }}" key="{{ item.key }}" - key_options='command="cd {{ pool }}/{{ item.host }};borg serve --restrict-to-path {{ pool }}/{{ item.host }}",no-port-forwarding,no-X11-forwarding,no-pty' + key_options='command="cd {{ pool }}/{{ item.host }};borg serve --restrict-to-path {{ pool }}/{{ item.host }}",no-port-forwarding,no-X11-forwarding,no-pty,no-agent-forwarding,no-user-rc' with_items: auth_users - file: path="{{ home }}/.ssh/authorized_keys" owner="{{ user }}" group="{{ group }}" mode=0600 state=file - file: path="{{ pool }}/{{ item.host }}" owner="{{ user }}" group="{{ group }}" mode=0700 state=directory From 987aaa34dfed5067c5cb1fb679f3a6de50ccf0af Mon Sep 17 00:00:00 2001 From: Piotr Pawlow Date: Mon, 18 Jan 2016 18:49:07 +0100 Subject: [PATCH 3/3] Added SSH key options to the usage example. --- docs/usage.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/usage.rst b/docs/usage.rst index 73a60dc8e..e3a9ed7ba 100644 --- a/docs/usage.rst +++ b/docs/usage.rst @@ -419,9 +419,10 @@ Examples :: # Allow an SSH keypair to only run borg, and only have access to /mnt/backup. + # Use key options to disable unneeded and potentially dangerous SSH functionality. # This will help to secure an automated remote backup system. $ cat ~/.ssh/authorized_keys - command="borg serve --restrict-to-path /mnt/backup" ssh-rsa AAAAB3[...] + command="borg serve --restrict-to-path /mnt/backup",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc ssh-rsa AAAAB3[...] .. include:: usage/upgrade.rst.inc