Merge pull request #7488 from centic9/master

Describe performing pull-backups via ssh remote forwarding

docs/deployment/pull-backup.rst

@@ -422,3 +422,83 @@ Parentheses are not needed when using a dedicated bash process.
 ``kill "${SSH_AGENT_PID}"``
 
   Kill ssh-agent with loaded keys when it is not needed anymore.
+
+Remote forwarding
+=================
+
+The standard ssh client allows to create tunnels to forward local ports to a remote server (local forwarding) and also
+to allow remote ports to be forwarded to local ports (remote forwarding).
+
+This remote forwarding can be used to allow remote backup clients to access the backup server even if the backup server
+cannot be reached by the backup client.
+
+This can even be used in cases where neither the backup server can reach the backup client and the backup client cannot
+reach the backup server, but some intermediate host can access both.
+
+A schematic approach is as follows
+
+::
+
+      Backup Server (backup@mybackup)          Intermediate Machine (john@myinter)              Backup Client (bob@myclient)
+
+                                              1. Establish SSH remote forwarding  ----------->  SSH listen on local port
+
+                                                                                                2. Starting ``borg create`` establishes
+                                              3. SSH forwards to intermediate machine  <------- SSH connection to the local port
+      4. Receives backup connection <-------  and further on to backup server
+      via SSH
+
+So for the backup client the backup is done via SSH to a local port and for the backup server there is a normal backup
+performed via ssh.
+
+In order to achieve this, the following commands can be used to create the remote port forwarding:
+
+1. On machine ``myinter``
+
+``ssh bob@myclient -v -C -R 8022:mybackup:22 -N``
+
+This will listen for ssh-connections on port ``8022`` on ``myclient`` and forward connections to port 22 on ``mybackup``.
+
+You can also remove the need for machine ``myinter`` and create the port forwarding on the backup server directly by
+using ``localhost`` instead of ``mybackup``
+
+2. On machine ``myclient``
+
+``borg create -v --progress --stats ssh://backup@localhost:8022/home/backup/repos/myclient /``
+
+Make sure to use port ``8022`` and ``localhost`` for the repository as this instructs borg on ``myclient`` to use the
+remote forwarded ssh connection.
+
+SSH Keys
+~~~~~~~~
+
+If you want to automate backups when using this method, the ssh ``known_hosts`` and ``authorized_keys`` need to be set up
+to allow connections.
+
+Security Considerations
+~~~~~~~~~~~~~~~~~~~~~~~
+
+Opening up SSH access this way can pose a security risk as it effectively opens remote access to your
+backup server on the client even if it is located outside of your company network.
+
+To reduce the chances of compromise, you should configure a forced command in ``authorized_keys`` to prevent
+anyone from performing any other action on the backup server.
+
+This can be done e.g. by adding the following in ``$HOME/.ssh/authorized_keys`` on ``mybackup`` with proper
+path and client-fqdn:
+
+::
+
+  command="cd /home/backup/repos/<client fqdn>;borg serve --restrict-to-path /home/backup/repos/<client fqdn>"
+
+
+All the additional security considerations for borg should be applied, see :ref:`central-backup-server` for some additional
+hints.
+
+More information
+~~~~~~~~~~~~~~~~
+
+See `remote forwarding`_ and the `ssh man page`_ for more information about remote forwarding.
+
+   .. _remote forwarding: https://linuxize.com/post/how-to-setup-ssh-tunneling/
+   .. _ssh man page: https://manpages.debian.org/testing/manpages-de/ssh.1.de.html