secure remote backups
mike wolman
mike@nux.co.uk
Tue, 27 Nov 2001 17:35:42 +0000 (GMT)
Hi Jason,
I am playing with a suid wrapper for rdiff,
then sshing in as a backup user and running the wrapper script,
as linux refuses to run scripts as suid, i am playing doing it
with very limited c knowledge, and with a pile of other stuff mounting
in the inbox i have not had a chance to get it setup.
I will let you know as soon as i actually have it running.
And yes usermode linux or a vm would be way overkill.
Cheers,
Mike.
On Tue, 27 Nov 2001, Jason Piterak wrote:
> Ben & Mike,
> Probably WAY overkill depending on your needs, but... what about running
> the rdiff-backup under user-mode linux with root ssh allowed to the virtual
> host? That way, if rdiff-backup (or sshd) is compromised, the cracker only
> gets to the virtual host... It also allows you to run several completely
> separate instances of rdiff-backup (with different chrooted environments and
> data repositories).
> Of course in order to do this, you'd either have to have some IP addresses
> available (one per VM), or you'd have to do some funky port forwarding on
> the host machine.
>
> Mike, please let us know what you _do_ end up with or get to work...
>
> Take care,
>
> --Jason
>
> ---
> Jason Piterak
> System Architect
> CIS Technical Services
> 33 Main St., Suite 302
> Nashua, NH 03064
> (603) 889-4684 - FAX (603) 889-0534
>
>
>
> > -----Original Message-----
> > From: rdiff-backup-admin@keywest.Stanford.EDU
> > [mailto:rdiff-backup-admin@keywest.Stanford.EDU]On Behalf Of
> > mike wolman
> > Sent: Thursday, November 22, 2001 7:33 AM
> > To: Ben Escoto
> > Cc: rdiff-backup@keywest.Stanford.EDU
> > Subject: Re: secure remote backups
> >
> >
> > Hi Ben,
> >
> > I will give your suggestions a try, I am not too keen on
> > opening up root ssh access on the remote machines but i will
> > give your other suggestions a try.
> >
> > Thanks,
> >
> > Mike.
> >
> > On Wed, 21 Nov 2001, Ben Escoto wrote:
> >
> > > >>>>> "MW" == mike wolman <mike@nux.co.uk>
> > > >>>>> wrote the following on Wed, 21 Nov 2001 14:41:15 +0000 (GMT)
> > >
> > > MW> Hi Ben, I have tried your suggestion however when i try to ssh
> > > MW> and su i get the following problem from su: standard
> > in must be
> > > MW> a tty
> > >
> > > MW> I have had a hunt for anybody else trying to run su
> > from ssh but
> > > MW> have not found a solution.
> > >
> > > Hmm, I think something like the ssh-then-su method still could work,
> > > but you would need some more complicated wrapper... Ok, how about
> > > these suggestions instead:
> > >
> > > 1. Suid script that runs rdiff-backup --server. I think you would
> > > have to create another user id, and make sure only that user has
> > > access to the script.
> > >
> > > 2. Instead of running rdiff-backup on machine A and trying
> > to get it
> > > to log in to machine B which doesn't accept ssh root logins, run
> > > rdiff-backup on machine B (after you 'su' normally)
> > with machine A
> > > being remote.
> > >
> > > 3. Reconfigure ssh on the remote machine to accept root logins. To
> > > do this, make sure the line
> > >
> > > PermitRootLogin yes
> > >
> > > appears in your sshd configuration file, usually at
> > > /etc/ssh/sshd_config.
> > >
> > > Anything here look promising?
> > >
> > >
> > > --
> > > Ben Escoto
> > >
> >
> > _______________________________________________
> > Rdiff-backup mailing list
> > Rdiff-backup@keywest.Stanford.EDU
> > http://keywest.Stanford.EDU/mailman/listinfo/rdiff-backup
> >
>
> ---
> Jason Piterak
> System Architect
> CIS Technical Services
> 33 Main St., Suite 302
> Nashua, NH 03064
> (603) 889-4684 - FAX (603) 889-0534
>
>
>
> > -----Original Message-----
> > From: rdiff-backup-admin@keywest.Stanford.EDU
> > [mailto:rdiff-backup-admin@keywest.Stanford.EDU]On Behalf Of
> > mike wolman
> > Sent: Thursday, November 22, 2001 7:33 AM
> > To: Ben Escoto
> > Cc: rdiff-backup@keywest.Stanford.EDU
> > Subject: Re: secure remote backups
> >
> >
> > Hi Ben,
> >
> > I will give your suggestions a try, I am not too keen on
> > opening up root ssh access on the remote machines but i will
> > give your other suggestions a try.
> >
> > Thanks,
> >
> > Mike.
> >
> > On Wed, 21 Nov 2001, Ben Escoto wrote:
> >
> > > >>>>> "MW" == mike wolman <mike@nux.co.uk>
> > > >>>>> wrote the following on Wed, 21 Nov 2001 14:41:15 +0000 (GMT)
> > >
> > > MW> Hi Ben, I have tried your suggestion however when i try to ssh
> > > MW> and su i get the following problem from su: standard
> > in must be
> > > MW> a tty
> > >
> > > MW> I have had a hunt for anybody else trying to run su
> > from ssh but
> > > MW> have not found a solution.
> > >
> > > Hmm, I think something like the ssh-then-su method still could work,
> > > but you would need some more complicated wrapper... Ok, how about
> > > these suggestions instead:
> > >
> > > 1. Suid script that runs rdiff-backup --server. I think you would
> > > have to create another user id, and make sure only that user has
> > > access to the script.
> > >
> > > 2. Instead of running rdiff-backup on machine A and trying
> > to get it
> > > to log in to machine B which doesn't accept ssh root logins, run
> > > rdiff-backup on machine B (after you 'su' normally)
> > with machine A
> > > being remote.
> > >
> > > 3. Reconfigure ssh on the remote machine to accept root logins. To
> > > do this, make sure the line
> > >
> > > PermitRootLogin yes
> > >
> > > appears in your sshd configuration file, usually at
> > > /etc/ssh/sshd_config.
> > >
> > > Anything here look promising?
> > >
> > >
> > > --
> > > Ben Escoto
> > >
> >
> > _______________________________________________
> > Rdiff-backup mailing list
> > Rdiff-backup@keywest.Stanford.EDU
> > http://keywest.Stanford.EDU/mailman/listinfo/rdiff-backup
> >
>