mirror/borg
1
0
Fork 0
mirror of https://github.com/borgbackup/borg.git synced 2024-12-27 10:18:12 +00:00
Code Issues Releases Wiki Activity

Merge pull request #572 from rot13/master

Browse source 
Disable unneeded SSH features in authorized_keys example for security.
This commit is contained in:
TW 2016-01-18 19:15:53 +01:00
commit 522c14c6ad
3 changed files with 6 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
docs/deployment.rst
View file

@ -62,7 +62,8 @@ forced command and restrictions applied as shown below:
command="cd /home/backup/repos/<client fqdn>; command="cd /home/backup/repos/<client fqdn>;
borg serve --restrict-path /home/backup/repos/<client fqdn>", borg serve --restrict-path /home/backup/repos/<client fqdn>",
no-port-forwarding,no-X11-forwarding,no-pty <keytype> <key> <host> no-port-forwarding,no-X11-forwarding,no-pty,
no-agent-forwarding,no-user-rc <keytype> <key> <host>
.. note:: The text shown above needs to be written on a single line! .. note:: The text shown above needs to be written on a single line!
@ -141,7 +142,7 @@ package manager to install and keep borg up-to-date.
- file: path="{{ pool }}" owner="{{ user }}" group="{{ group }}" mode=0700 state=directory - file: path="{{ pool }}" owner="{{ user }}" group="{{ group }}" mode=0700 state=directory
- authorized_key: user="{{ user }}" - authorized_key: user="{{ user }}"
key="{{ item.key }}" key="{{ item.key }}"
key_options='command="cd {{ pool }}/{{ item.host }};borg serve --restrict-to-path {{ pool }}/{{ item.host }}",no-port-forwarding,no-X11-forwarding,no-pty' key_options='command="cd {{ pool }}/{{ item.host }};borg serve --restrict-to-path {{ pool }}/{{ item.host }}",no-port-forwarding,no-X11-forwarding,no-pty,no-agent-forwarding,no-user-rc'
with_items: auth_users with_items: auth_users
- file: path="{{ home }}/.ssh/authorized_keys" owner="{{ user }}" group="{{ group }}" mode=0600 state=file - file: path="{{ home }}/.ssh/authorized_keys" owner="{{ user }}" group="{{ group }}" mode=0600 state=file
- file: path="{{ pool }}/{{ item.host }}" owner="{{ user }}" group="{{ group }}" mode=0700 state=directory - file: path="{{ pool }}/{{ item.host }}" owner="{{ user }}" group="{{ group }}" mode=0700 state=directory

2
docs/quickstart.rst
View file

@ -207,7 +207,7 @@ the remote server's authorized_keys file. Only the forced command will be run
when the key authenticates a connection. This example will start |project_name| in server when the key authenticates a connection. This example will start |project_name| in server
mode, and limit the |project_name| server to a specific filesystem path:: mode, and limit the |project_name| server to a specific filesystem path::
command="borg serve --restrict-to-path /mnt/backup" ssh-rsa AAAAB3[...] command="borg serve --restrict-to-path /mnt/backup",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc ssh-rsa AAAAB3[...]
If it is not possible to install |project_name| on the remote host, If it is not possible to install |project_name| on the remote host,
it is still possible to use the remote host to store a repository by it is still possible to use the remote host to store a repository by

3
docs/usage.rst
View file

@ -419,9 +419,10 @@ Examples
:: ::
# Allow an SSH keypair to only run borg, and only have access to /mnt/backup. # Allow an SSH keypair to only run borg, and only have access to /mnt/backup.
# Use key options to disable unneeded and potentially dangerous SSH functionality.
# This will help to secure an automated remote backup system. # This will help to secure an automated remote backup system.
$ cat ~/.ssh/authorized_keys $ cat ~/.ssh/authorized_keys
command="borg serve --restrict-to-path /mnt/backup" ssh-rsa AAAAB3[...] command="borg serve --restrict-to-path /mnt/backup",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc ssh-rsa AAAAB3[...]
.. include:: usage/upgrade.rst.inc .. include:: usage/upgrade.rst.inc