secure remote backups
Jason Piterak
Jason_Piterak@c-i-s.com
Tue, 27 Nov 2001 11:19:31 -0500
Ben & Mike,
Probably WAY overkill depending on your needs, but... what about running
the rdiff-backup under user-mode linux with root ssh allowed to the virtual
host? That way, if rdiff-backup (or sshd) is compromised, the cracker only
gets to the virtual host... It also allows you to run several completely
separate instances of rdiff-backup (with different chrooted environments and
data repositories).
Of course in order to do this, you'd either have to have some IP addresses
available (one per VM), or you'd have to do some funky port forwarding on
the host machine.
Mike, please let us know what you _do_ end up with or get to work...
Take care,
--Jason
---
Jason Piterak
System Architect
CIS Technical Services
33 Main St., Suite 302
Nashua, NH 03064
(603) 889-4684 - FAX (603) 889-0534
> -----Original Message-----
> From: rdiff-backup-admin@keywest.Stanford.EDU
> [mailto:rdiff-backup-admin@keywest.Stanford.EDU]On Behalf Of
> mike wolman
> Sent: Thursday, November 22, 2001 7:33 AM
> To: Ben Escoto
> Cc: rdiff-backup@keywest.Stanford.EDU
> Subject: Re: secure remote backups
>
>
> Hi Ben,
>
> I will give your suggestions a try, I am not too keen on
> opening up root ssh access on the remote machines but i will
> give your other suggestions a try.
>
> Thanks,
>
> Mike.
>
> On Wed, 21 Nov 2001, Ben Escoto wrote:
>
> > >>>>> "MW" == mike wolman <mike@nux.co.uk>
> > >>>>> wrote the following on Wed, 21 Nov 2001 14:41:15 +0000 (GMT)
> >
> > MW> Hi Ben, I have tried your suggestion however when i try to ssh
> > MW> and su i get the following problem from su: standard
> in must be
> > MW> a tty
> >
> > MW> I have had a hunt for anybody else trying to run su
> from ssh but
> > MW> have not found a solution.
> >
> > Hmm, I think something like the ssh-then-su method still could work,
> > but you would need some more complicated wrapper... Ok, how about
> > these suggestions instead:
> >
> > 1. Suid script that runs rdiff-backup --server. I think you would
> > have to create another user id, and make sure only that user has
> > access to the script.
> >
> > 2. Instead of running rdiff-backup on machine A and trying
> to get it
> > to log in to machine B which doesn't accept ssh root logins, run
> > rdiff-backup on machine B (after you 'su' normally)
> with machine A
> > being remote.
> >
> > 3. Reconfigure ssh on the remote machine to accept root logins. To
> > do this, make sure the line
> >
> > PermitRootLogin yes
> >
> > appears in your sshd configuration file, usually at
> > /etc/ssh/sshd_config.
> >
> > Anything here look promising?
> >
> >
> > --
> > Ben Escoto
> >
>
> _______________________________________________
> Rdiff-backup mailing list
> Rdiff-backup@keywest.Stanford.EDU
> http://keywest.Stanford.EDU/mailman/listinfo/rdiff-backup
>
---
Jason Piterak
System Architect
CIS Technical Services
33 Main St., Suite 302
Nashua, NH 03064
(603) 889-4684 - FAX (603) 889-0534
> -----Original Message-----
> From: rdiff-backup-admin@keywest.Stanford.EDU
> [mailto:rdiff-backup-admin@keywest.Stanford.EDU]On Behalf Of
> mike wolman
> Sent: Thursday, November 22, 2001 7:33 AM
> To: Ben Escoto
> Cc: rdiff-backup@keywest.Stanford.EDU
> Subject: Re: secure remote backups
>
>
> Hi Ben,
>
> I will give your suggestions a try, I am not too keen on
> opening up root ssh access on the remote machines but i will
> give your other suggestions a try.
>
> Thanks,
>
> Mike.
>
> On Wed, 21 Nov 2001, Ben Escoto wrote:
>
> > >>>>> "MW" == mike wolman <mike@nux.co.uk>
> > >>>>> wrote the following on Wed, 21 Nov 2001 14:41:15 +0000 (GMT)
> >
> > MW> Hi Ben, I have tried your suggestion however when i try to ssh
> > MW> and su i get the following problem from su: standard
> in must be
> > MW> a tty
> >
> > MW> I have had a hunt for anybody else trying to run su
> from ssh but
> > MW> have not found a solution.
> >
> > Hmm, I think something like the ssh-then-su method still could work,
> > but you would need some more complicated wrapper... Ok, how about
> > these suggestions instead:
> >
> > 1. Suid script that runs rdiff-backup --server. I think you would
> > have to create another user id, and make sure only that user has
> > access to the script.
> >
> > 2. Instead of running rdiff-backup on machine A and trying
> to get it
> > to log in to machine B which doesn't accept ssh root logins, run
> > rdiff-backup on machine B (after you 'su' normally)
> with machine A
> > being remote.
> >
> > 3. Reconfigure ssh on the remote machine to accept root logins. To
> > do this, make sure the line
> >
> > PermitRootLogin yes
> >
> > appears in your sshd configuration file, usually at
> > /etc/ssh/sshd_config.
> >
> > Anything here look promising?
> >
> >
> > --
> > Ben Escoto
> >
>
> _______________________________________________
> Rdiff-backup mailing list
> Rdiff-backup@keywest.Stanford.EDU
> http://keywest.Stanford.EDU/mailman/listinfo/rdiff-backup
>