On 28/05/10 01:23, Aneurin Price wrote: > On Thu, May 27, 2010 at 23:00, feffer > <[email protected]> wrote: >> >> I'm running rdiff-backup over ssh with an unattended cron script using an >> ssh key-pair proceedure described here >> (http://arctic.org/~dean/rdiff-backup/unattended.html). My script works >> fine, but I'm wondering about security. It is generally considered a bad >> idea to allow root login to ssh, but I cannot preserve ownership and >> permissions if I disallow root login. >> >> Is this really a problem since my machines are behind a router on my LAN? >> The ssh key-pairs are not password protected, but isn't the only real >> security threat losing the private key?
Unless you lose the private key, this is secure. But double-check that root can login *only* using the key (set PermitRootLogin without-password or even PermitRootLogin forced-commands-only in sshd_config, more info: http://linux.die.net/man/5/sshd_config ) >> >> Is there a way to lock this down a bit more while still enabling unattended >> backups? >> > > Do you really need the permissions on the server to be set correctly, > rather than simply when you restore? If not, I thought rdiff-backup > could save and restore permissions separately from the files in > question, allowing you to record them without needing to be root. While it is true that rdiff-backup will save the metadata somewhere else then, this means that you cannot restore by simply copying the files. This means if your rdiff-backup-data folder is corrupt (happens!), you are screwed. I'd recommend running as root on the destination server. > Alternatively you could use metastore > (http://david.hardeman.nu/software.php) which can save file metadata > to a file, allowing you to restore it at a later date. > > Both of these still require root privileges on the client machine when > backing up (unless everything is world-readable) and when restoring in > order to reset the permissions, but not on the destination machine. > > Nye > > _______________________________________________ > rdiff-backup-users mailing list at [email protected] > http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users > Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki _______________________________________________ rdiff-backup-users mailing list at [email protected] http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki
