ssh & key management, sudo, and rdiff-backup

Jamie Heilman
Wed, 30 Jan 2002 03:38:53 -0800

Sorry if you folks already know this, but I read the entire archive
and everyone seems to sort of skirt the issue so I just figured I'd
toss it out there.  SSH's key management mechanism is more flexible
than you may think.  Using the sudo technique mentioned earlier on
this list, (which btw I use myself though I don't actually use
rdiff-backup, I use rsync because most of my production machines run
Debian stable which currently doesn't include python 2.2 packages),
you can set yourself up something like the following, which should
alleviate some of the compromise issues tossed around earlier.

On the server create a special backup key for root to use when
connecting to the target clients.  You can make this key using
ssh-keygen, just name it something obvious, I chose snapshot_dsa and
snapshot_rsa1 as I actually have to use multiple keys as my clients
are a rather mixed bag, some support ssh v2, some only support ssh v1.
You can configure which key is used with which host in root's
~/.ssh/config file, the syntax of which is detailed in the ssh man
page.  I don't encrypt these keys with passphrases.  If you wanna add
the extra complexity, knock yourself out, but I don't think you'll
gain any security from it unless you really know what you're doing.

On the clients create a user for your rdiff-backup agent, I'll call mine
snapshot for the purpose of illustration.  Now copy root@your_server's
public key into the snapshot user's authorized_keys file and bind that
key to the command you want your agent to run.  This is the thing you
might not have known - you can bind ssh keys to commands.  This isn't
a "filter" either, this is a full-on "run this command when somebody
with this key connects" kind of deal.  You can also tie this key to a
hostname for additional security.  So for example my snapshot user's
authorized_key file might contain something like:

from="",command="sudo rsync --server --sender -vlogDtprz --delete --numeric-ids . /home/" 1024 35 436853562342741804739862351762416945208980200681305325690789477490102408835296677015140769272963614760241109930366971833023409030908836281015336596167589139888417670959784761149251664447136252119525946869399089209383265049534437538876489744724285307610877098443251568639260861780823359038587149610359979746714 root@phatdisk

Then in my sudoers file on every client I simply have the rule:
snapshot ALL = NOPASSWD: \
  /path/to/rsync --server --sender -vlogDtprz --delete --numeric-ids . /home/

Obviously you'd replace my rsync commands with rdiff-backup's
invocation - or your script that does the same deal should you need to
generate arbitrary events pre and post backup as discussed earlier.
What you now have is a user on your client machines which when tickled
with the right private key from the right server does only one thing,
which is fire up the remote rdiff-backup agent with elevated privs and
barf the data stream back over the pipe.

Anyway, enjoy.

Jamie Heilman         
"We must be born with an intuition of mortality.  Before we know the words
 for it, before we know there are words, out we come bloodied and squalling
 with the knowledge that for all the compasses in the world, there's only
 one direction, and time is its only measure."		-Rosencrantz