mirror of https://github.com/borgbackup/borg.git
Simplify ssh authorized_keys file
Just using "restrict"; closes https://github.com/borgbackup/borg/issues/2121
This commit is contained in:
parent
9bc00f01aa
commit
b27b9894d1
|
@ -68,8 +68,7 @@ forced command and restrictions applied as shown below:
|
||||||
|
|
||||||
command="cd /home/backup/repos/<client fqdn>;
|
command="cd /home/backup/repos/<client fqdn>;
|
||||||
borg serve --restrict-to-path /home/backup/repos/<client fqdn>",
|
borg serve --restrict-to-path /home/backup/repos/<client fqdn>",
|
||||||
no-port-forwarding,no-X11-forwarding,no-pty,
|
restrict <keytype> <key> <host>
|
||||||
no-agent-forwarding,no-user-rc <keytype> <key> <host>
|
|
||||||
|
|
||||||
.. note:: The text shown above needs to be written on a single line!
|
.. note:: The text shown above needs to be written on a single line!
|
||||||
|
|
||||||
|
@ -147,7 +146,7 @@ package manager to install and keep borg up-to-date.
|
||||||
- file: path="{{ pool }}" owner="{{ user }}" group="{{ group }}" mode=0700 state=directory
|
- file: path="{{ pool }}" owner="{{ user }}" group="{{ group }}" mode=0700 state=directory
|
||||||
- authorized_key: user="{{ user }}"
|
- authorized_key: user="{{ user }}"
|
||||||
key="{{ item.key }}"
|
key="{{ item.key }}"
|
||||||
key_options='command="cd {{ pool }}/{{ item.host }};borg serve --restrict-to-path {{ pool }}/{{ item.host }}",no-port-forwarding,no-X11-forwarding,no-pty,no-agent-forwarding,no-user-rc'
|
key_options='command="cd {{ pool }}/{{ item.host }};borg serve --restrict-to-path {{ pool }}/{{ item.host }}",restrict'
|
||||||
with_items: "{{ auth_users }}"
|
with_items: "{{ auth_users }}"
|
||||||
- file: path="{{ home }}/.ssh/authorized_keys" owner="{{ user }}" group="{{ group }}" mode=0600 state=file
|
- file: path="{{ home }}/.ssh/authorized_keys" owner="{{ user }}" group="{{ group }}" mode=0600 state=file
|
||||||
- file: path="{{ pool }}/{{ item.host }}" owner="{{ user }}" group="{{ group }}" mode=0700 state=directory
|
- file: path="{{ pool }}/{{ item.host }}" owner="{{ user }}" group="{{ group }}" mode=0700 state=directory
|
||||||
|
@ -198,11 +197,7 @@ Salt running on a Debian system.
|
||||||
- source: salt://conf/ssh-pubkeys/{{host}}-backup.id_ecdsa.pub
|
- source: salt://conf/ssh-pubkeys/{{host}}-backup.id_ecdsa.pub
|
||||||
- options:
|
- options:
|
||||||
- command="cd /home/backup/repos/{{host}}; borg serve --restrict-to-path /home/backup/repos/{{host}}"
|
- command="cd /home/backup/repos/{{host}}; borg serve --restrict-to-path /home/backup/repos/{{host}}"
|
||||||
- no-port-forwarding
|
- restrict
|
||||||
- no-X11-forwarding
|
|
||||||
- no-pty
|
|
||||||
- no-agent-forwarding
|
|
||||||
- no-user-rc
|
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -277,7 +277,7 @@ use of the SSH keypair by prepending a forced command to the SSH public key in
|
||||||
the remote server's `authorized_keys` file. This example will start |project_name|
|
the remote server's `authorized_keys` file. This example will start |project_name|
|
||||||
in server mode and limit it to a specific filesystem path::
|
in server mode and limit it to a specific filesystem path::
|
||||||
|
|
||||||
command="borg serve --restrict-to-path /path/to/repo",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc ssh-rsa AAAAB3[...]
|
command="borg serve --restrict-to-path /path/to/repo",restrict ssh-rsa AAAAB3[...]
|
||||||
|
|
||||||
If it is not possible to install |project_name| on the remote host,
|
If it is not possible to install |project_name| on the remote host,
|
||||||
it is still possible to use the remote host to store a repository by
|
it is still possible to use the remote host to store a repository by
|
||||||
|
|
|
@ -23,7 +23,7 @@ locations like ``/etc/environment`` or in the forced command itself (example bel
|
||||||
# Use key options to disable unneeded and potentially dangerous SSH functionality.
|
# Use key options to disable unneeded and potentially dangerous SSH functionality.
|
||||||
# This will help to secure an automated remote backup system.
|
# This will help to secure an automated remote backup system.
|
||||||
$ cat ~/.ssh/authorized_keys
|
$ cat ~/.ssh/authorized_keys
|
||||||
command="borg serve --restrict-to-path /path/to/repo",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc ssh-rsa AAAAB3[...]
|
command="borg serve --restrict-to-path /path/to/repo",restrict ssh-rsa AAAAB3[...]
|
||||||
|
|
||||||
# Set a BORG_XXX environment variable on the "borg serve" side
|
# Set a BORG_XXX environment variable on the "borg serve" side
|
||||||
$ cat ~/.ssh/authorized_keys
|
$ cat ~/.ssh/authorized_keys
|
||||||
|
|
Loading…
Reference in New Issue