From 753419d506c26782e567efd03c39ed21ac048dc1 Mon Sep 17 00:00:00 2001 From: Dominik Stadler Date: Sun, 2 Apr 2023 22:58:37 +0200 Subject: [PATCH] Suggest to use forced command when using remote-fowarding via ssh --- docs/deployment/pull-backup.rst | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/deployment/pull-backup.rst b/docs/deployment/pull-backup.rst index 7ca0cde03..a29ee8188 100644 --- a/docs/deployment/pull-backup.rst +++ b/docs/deployment/pull-backup.rst @@ -481,6 +481,17 @@ Security Considerations Opening up SSH access this way can pose a security risk as it effectively opens remote access to your backup server on the client even if it is located outside of your company network. +To reduce the chances of compromise, you should configure a forced command in ``authorized_keys`` to prevent +anyone from performing any other action on the backup server. + +This can be done e.g. by adding the following in ``$HOME/.ssh/authorized_keys`` on ``mybackup`` with proper +path and client-fqdn: + +:: + + command="cd /home/backup/repos/;borg serve --restrict-to-path /home/backup/repos/" + + All the additional security considerations for borg should be applied, see :ref:`central-backup-server` for some additional hints.