From 45f7c01e377517790728a75048b7da3fc30b4b90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9A=D0=BE=D1=80=D0=BE=D0=BB=D1=8C=20=D0=90=D0=BB=D0=B5?= =?UTF-8?q?=D0=BA=D1=81=D0=B5=D0=B9?= Date: Fri, 7 Aug 2020 14:40:26 +0300 Subject: [PATCH 1/6] Add ssh-agent pull backup method to doc --- docs/deployment/pull-backup.rst | 63 +++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) diff --git a/docs/deployment/pull-backup.rst b/docs/deployment/pull-backup.rst index f4c67f8ea0..48cee60c32 100644 --- a/docs/deployment/pull-backup.rst +++ b/docs/deployment/pull-backup.rst @@ -301,3 +301,66 @@ a backup may be the following command:: This command also automatically removes the socket file after the ``borg create`` command is done. + +ssh-agent +========= + +In this scenario *borg-server* initiate SSH connection to *borg-client* with forwarding of the authentication agent connection. +Afterwards scenario is similar to the push mode: *borg-client* initiate another SSH connection +back to *borg-server* using forwarded agent connection for authenticate itself, +starts ``borg serve`` and communicate with them. + +Using of this method requires ssh access from *borgs* to *borgc@borg-client* and +from *borgs* to *borgs@borg-server* itself. Where: + +* *borgs* is the user on the server side with read/write access to local borg repository. +* *borgc* is the user on the client side with read access to files meant to be backed up. + +Apply of this method in case of automated backup operations +----------------------------------------------------------- + +Do this once on *borg-server* for allowing *borgs* to connect itself on *borg-server*:: + + borgs@borg-server$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys + borgs@borg-server$ chmod go-w ~/.ssh/authorized_keys + +Execute pull operation (init repo in this example) on *borg-server*:: + + borgs@borg-server$ ( + eval $(ssh-agent) > /dev/null + ssh-add -q + ssh -A borgc@borg-client "borg init -e none --rsh 'ssh -o StrictHostKeyChecking=no' borgs@borg-server:repo" + kill "${SSH_AGENT_PID}" + ) + +Parentheses around commands are needed to exclude interferention with possibly already running ssh-agent. +Parentheses not needed in case of using dedicated bash process. + +*eval $(ssh-agent) > /dev/null* + + Run SSH agent in background and export related environment variables to current bash session. + +*ssh-add -q* + + Load SSH private key(s) to SSH agent from default locations: + ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and ~/.ssh/id_ed25519. + Look at ``man 1 ssh-add`` for more detailed explanation. + + Care needs to be taken when loading keys to SSH agent. Users on the *borg-client* having read/write permissions to + agent's UNIX-domain socket (at least borgc and root in our case) can access the agent on *borg-server* through the + forwarded connection and use loaded keys for authenticate using the identities loaded into the agent + (look at ``man 1 ssh`` for more detailed explanation). Therefore there are some security considerations: + + * *borgs*'s private key loaded to agent must not be used to access anywhere else. + * The keys meant to be loaded to agent must be specified explicitly, not from default locations. + * The *borgs*'s public key record at *borgs@borg-server:~/.ssh/authorized_keys* must be as restrictive as possible. + +*ssh -A borgc@borg-client "borg init -e none --rsh 'ssh -o StrictHostKeyChecking=no' borgs@borg-server:repo"* + + Issue *borg init -e none borgs@borg-server:repo* command to be executed at *borg-client*. + *StrictHostKeyChecking=no* used for automatically adding host key of + *borg-server* to *borgc@borg-client:~/.ssh/known_hosts* without user intervention. + +*kill "${SSH_AGENT_PID}"* + + Kill ssh-agent with loaded keys as it not needed anymore. From 809f14552a4c0a12a63e663649ff0d8e4c0191bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9A=D0=BE=D1=80=D0=BE=D0=BB=D1=8C=20=D0=90=D0=BB=D0=B5?= =?UTF-8?q?=D0=BA=D1=81=D0=B5=D0=B9?= Date: Tue, 11 Aug 2020 16:43:32 +0300 Subject: [PATCH 2/6] Fix ssh-agent pull backup method doc --- docs/deployment/pull-backup.rst | 73 ++++++++++++++++++++++++--------- 1 file changed, 54 insertions(+), 19 deletions(-) diff --git a/docs/deployment/pull-backup.rst b/docs/deployment/pull-backup.rst index 48cee60c32..3288c32c93 100644 --- a/docs/deployment/pull-backup.rst +++ b/docs/deployment/pull-backup.rst @@ -310,8 +310,7 @@ Afterwards scenario is similar to the push mode: *borg-client* initiate another back to *borg-server* using forwarded agent connection for authenticate itself, starts ``borg serve`` and communicate with them. -Using of this method requires ssh access from *borgs* to *borgc@borg-client* and -from *borgs* to *borgs@borg-server* itself. Where: +Using of this method requires ssh access of user *borgs* to *borgc@borg-client*. Where: * *borgs* is the user on the server side with read/write access to local borg repository. * *borgc* is the user on the client side with read access to files meant to be backed up. @@ -319,48 +318,84 @@ from *borgs* to *borgs@borg-server* itself. Where: Apply of this method in case of automated backup operations ----------------------------------------------------------- -Do this once on *borg-server* for allowing *borgs* to connect itself on *borg-server*:: +Assume that borg-client host is untrusted. +Therefore there is effort to prevent hostile user on borg-client side to do something harmful. +In case of fully trusted borg-client the method may be simplified. - borgs@borg-server$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys +Prepare server side +~~~~~~~~~~~~~~~~~~~ + +Do this once for each client on *borg-server* for allowing *borgs* to connect itself on *borg-server* using dedicated RSA key:: + + borgs@borg-server$ install -m 700 -d ~/.ssh/ + borgs@borg-server$ ssh-keygen -N '' -t rsa -f ~/.ssh/borg-client_rsa + borgs@borg-server$ { echo -n 'command="borg serve --append-only --restrict-to-path ~/repo",restrict '; cat ~/.ssh/borg-client_rsa.pub; } >> ~/.ssh/authorized_keys borgs@borg-server$ chmod go-w ~/.ssh/authorized_keys -Execute pull operation (init repo in this example) on *borg-server*:: +``install -m 700 -d ~/.ssh/`` + + Create directory ~/.ssh with correct permissions if not exists yet. + +``ssh-keygen -N '' -t rsa -f ~/.ssh/borg-client_rsa`` + + Create RSA key dedicated to communication with borg-client. + +``{ echo -n 'command="borg serve --append-only --restrict-to-path ~/repo",restrict '; cat ~/.ssh/borg-client_rsa.pub; } >> ~/.ssh/authorized_keys`` + + Add borg-client's public key record to ~/.ssh/authorized_keys with force command and restrictions. + Client restricted to use specified repository path and to use only append operations. + The commands like *prune* and *compact* have to be executed another way, for example directly on *borg-server* side. + +``chmod go-w ~/.ssh/authorized_keys`` + + Fix permissions of ~/.ssh/authorized_keys. + + +Pull operation +~~~~~~~~~~~~~~~~~~~~~~ + +Execute borg command (init repo in this example) on *borg-server*:: borgs@borg-server$ ( eval $(ssh-agent) > /dev/null - ssh-add -q - ssh -A borgc@borg-client "borg init -e none --rsh 'ssh -o StrictHostKeyChecking=no' borgs@borg-server:repo" + ssh-add -q ~/.ssh/borg-client_rsa + echo 'complicated & long' | \ + ssh -A -o StrictHostKeyChecking=no borgc@borg-client "BORG_PASSPHRASE=\$(cat) borg --rsh 'ssh -o StrictHostKeyChecking=no' init --encryption repokey ssh://borgs@borg-server/~/repo" kill "${SSH_AGENT_PID}" ) Parentheses around commands are needed to exclude interferention with possibly already running ssh-agent. Parentheses not needed in case of using dedicated bash process. -*eval $(ssh-agent) > /dev/null* +``eval $(ssh-agent) > /dev/null`` Run SSH agent in background and export related environment variables to current bash session. -*ssh-add -q* +``ssh-add -q ~/.ssh/borg-client_rsa`` - Load SSH private key(s) to SSH agent from default locations: - ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and ~/.ssh/id_ed25519. + Load SSH private key dedicated to communication with borg-client to SSH agent. Look at ``man 1 ssh-add`` for more detailed explanation. - Care needs to be taken when loading keys to SSH agent. Users on the *borg-client* having read/write permissions to + Care needs to be taken when loading key to SSH agent. Users on the *borg-client* having read/write permissions to agent's UNIX-domain socket (at least borgc and root in our case) can access the agent on *borg-server* through the forwarded connection and use loaded keys for authenticate using the identities loaded into the agent (look at ``man 1 ssh`` for more detailed explanation). Therefore there are some security considerations: - * *borgs*'s private key loaded to agent must not be used to access anywhere else. + * Private key loaded to agent must not be used to access anywhere else. * The keys meant to be loaded to agent must be specified explicitly, not from default locations. - * The *borgs*'s public key record at *borgs@borg-server:~/.ssh/authorized_keys* must be as restrictive as possible. + * The *borg-client*'s public key record at *borgs@borg-server:~/.ssh/authorized_keys* must be as restrictive as possible. + +``echo 'complicated & long' | ssh -A -o StrictHostKeyChecking=no borgc@borg-client "BORG_PASSPHRASE=\$(cat) borg --rsh 'ssh -o StrictHostKeyChecking=no' init --encryption repokey ssh://borgs@borg-server/~/repo"`` + + Issue *borg init* command to be executed at *borg-client*. + + *'complicated & long'* is the password used for encrypt the key of new repository. The password passed via stdin, + not as command line argument, therefore it can't be stolen via examination of process list. -*ssh -A borgc@borg-client "borg init -e none --rsh 'ssh -o StrictHostKeyChecking=no' borgs@borg-server:repo"* + *ssh://borgs@borg-server/~/repo* is reference to repository *repo* located at borgs's home directory. - Issue *borg init -e none borgs@borg-server:repo* command to be executed at *borg-client*. - *StrictHostKeyChecking=no* used for automatically adding host key of - *borg-server* to *borgc@borg-client:~/.ssh/known_hosts* without user intervention. + *StrictHostKeyChecking=no* used for automatically adding host keys to *~/.ssh/known_hosts* without user intervention. -*kill "${SSH_AGENT_PID}"* +``kill "${SSH_AGENT_PID}"`` Kill ssh-agent with loaded keys as it not needed anymore. From 5de0620e798af2c6a29088d7cffaf916e8b1fb0b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9A=D0=BE=D1=80=D0=BE=D0=BB=D1=8C=20=D0=90=D0=BB=D0=B5?= =?UTF-8?q?=D0=BA=D1=81=D0=B5=D0=B9?= Date: Thu, 20 Aug 2020 14:20:33 +0300 Subject: [PATCH 3/6] Fix ssh-agent pull backup method doc --- docs/deployment/pull-backup.rst | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/docs/deployment/pull-backup.rst b/docs/deployment/pull-backup.rst index 3288c32c93..350e692485 100644 --- a/docs/deployment/pull-backup.rst +++ b/docs/deployment/pull-backup.rst @@ -340,6 +340,10 @@ Do this once for each client on *borg-server* for allowing *borgs* to connect it Create RSA key dedicated to communication with borg-client. +.. note:: + Another more complex approach is using an unique RSA key for each pull operation. + This have to be more secure as it garanties that the key will not be used to access anywhere else. + ``{ echo -n 'command="borg serve --append-only --restrict-to-path ~/repo",restrict '; cat ~/.ssh/borg-client_rsa.pub; } >> ~/.ssh/authorized_keys`` Add borg-client's public key record to ~/.ssh/authorized_keys with force command and restrictions. @@ -350,16 +354,15 @@ Do this once for each client on *borg-server* for allowing *borgs* to connect it Fix permissions of ~/.ssh/authorized_keys. - Pull operation -~~~~~~~~~~~~~~~~~~~~~~ +~~~~~~~~~~~~~~ Execute borg command (init repo in this example) on *borg-server*:: borgs@borg-server$ ( eval $(ssh-agent) > /dev/null ssh-add -q ~/.ssh/borg-client_rsa - echo 'complicated & long' | \ + echo 'your secure borg key passphrase' | \ ssh -A -o StrictHostKeyChecking=no borgc@borg-client "BORG_PASSPHRASE=\$(cat) borg --rsh 'ssh -o StrictHostKeyChecking=no' init --encryption repokey ssh://borgs@borg-server/~/repo" kill "${SSH_AGENT_PID}" ) @@ -376,6 +379,7 @@ Parentheses not needed in case of using dedicated bash process. Load SSH private key dedicated to communication with borg-client to SSH agent. Look at ``man 1 ssh-add`` for more detailed explanation. +.. note:: Care needs to be taken when loading key to SSH agent. Users on the *borg-client* having read/write permissions to agent's UNIX-domain socket (at least borgc and root in our case) can access the agent on *borg-server* through the forwarded connection and use loaded keys for authenticate using the identities loaded into the agent @@ -385,13 +389,10 @@ Parentheses not needed in case of using dedicated bash process. * The keys meant to be loaded to agent must be specified explicitly, not from default locations. * The *borg-client*'s public key record at *borgs@borg-server:~/.ssh/authorized_keys* must be as restrictive as possible. -``echo 'complicated & long' | ssh -A -o StrictHostKeyChecking=no borgc@borg-client "BORG_PASSPHRASE=\$(cat) borg --rsh 'ssh -o StrictHostKeyChecking=no' init --encryption repokey ssh://borgs@borg-server/~/repo"`` +``echo 'your secure borg key passphrase' | ssh -A -o StrictHostKeyChecking=no borgc@borg-client "BORG_PASSPHRASE=\$(cat) borg --rsh 'ssh -o StrictHostKeyChecking=no' init --encryption repokey ssh://borgs@borg-server/~/repo"`` Issue *borg init* command to be executed at *borg-client*. - *'complicated & long'* is the password used for encrypt the key of new repository. The password passed via stdin, - not as command line argument, therefore it can't be stolen via examination of process list. - *ssh://borgs@borg-server/~/repo* is reference to repository *repo* located at borgs's home directory. *StrictHostKeyChecking=no* used for automatically adding host keys to *~/.ssh/known_hosts* without user intervention. From ceefa79eb49e029ea4850e57d324efda61204c99 Mon Sep 17 00:00:00 2001 From: Thomas Waldmann Date: Tue, 22 Sep 2020 15:15:42 +0200 Subject: [PATCH 4/6] some grammar / typo fixes --- docs/deployment/pull-backup.rst | 78 ++++++++++++++++++--------------- 1 file changed, 42 insertions(+), 36 deletions(-) diff --git a/docs/deployment/pull-backup.rst b/docs/deployment/pull-backup.rst index 350e692485..5e0ce191a9 100644 --- a/docs/deployment/pull-backup.rst +++ b/docs/deployment/pull-backup.rst @@ -305,27 +305,32 @@ create`` command is done. ssh-agent ========= -In this scenario *borg-server* initiate SSH connection to *borg-client* with forwarding of the authentication agent connection. -Afterwards scenario is similar to the push mode: *borg-client* initiate another SSH connection -back to *borg-server* using forwarded agent connection for authenticate itself, -starts ``borg serve`` and communicate with them. +In this scenario *borg-server* initiates an SSH connection to *borg-client* and forwards the authentication +agent connection. -Using of this method requires ssh access of user *borgs* to *borgc@borg-client*. Where: +After that, it works similar to the push mode: +*borg-client* initiates another SSH connection back to *borg-server* using the forwarded authentication agent +connection to authenticate itself, starts ``borg serve`` and communicates with it. + +Using this method requires ssh access of user *borgs* to *borgc@borg-client*, where: * *borgs* is the user on the server side with read/write access to local borg repository. * *borgc* is the user on the client side with read access to files meant to be backed up. -Apply of this method in case of automated backup operations ------------------------------------------------------------ +Applying this method for automated backup operations +---------------------------------------------------- + +Assume that the borg-client host is untrusted. +Therefore we do some effort to prevent a hostile user on the borg-client side to do something harmful. +In case of a fully trusted borg-client the method could be simplified. -Assume that borg-client host is untrusted. -Therefore there is effort to prevent hostile user on borg-client side to do something harmful. -In case of fully trusted borg-client the method may be simplified. +Preparing the server side +~~~~~~~~~~~~~~~~~~~~~~~~~ -Prepare server side -~~~~~~~~~~~~~~~~~~~ +Do this once for each client on *borg-server* to allow *borgs* to connect itself on *borg-server* using a +dedicated ssh key: -Do this once for each client on *borg-server* for allowing *borgs* to connect itself on *borg-server* using dedicated RSA key:: +:: borgs@borg-server$ install -m 700 -d ~/.ssh/ borgs@borg-server$ ssh-keygen -N '' -t rsa -f ~/.ssh/borg-client_rsa @@ -334,21 +339,22 @@ Do this once for each client on *borg-server* for allowing *borgs* to connect it ``install -m 700 -d ~/.ssh/`` - Create directory ~/.ssh with correct permissions if not exists yet. + Create directory ~/.ssh with correct permissions if it does not exist yet. ``ssh-keygen -N '' -t rsa -f ~/.ssh/borg-client_rsa`` - Create RSA key dedicated to communication with borg-client. + Create an ssh key dedicated to communication with borg-client. .. note:: - Another more complex approach is using an unique RSA key for each pull operation. - This have to be more secure as it garanties that the key will not be used to access anywhere else. + Another more complex approach is using a unique ssh key for each pull operation. + This is more secure as it guarantees that the key will not be used for other purposes. ``{ echo -n 'command="borg serve --append-only --restrict-to-path ~/repo",restrict '; cat ~/.ssh/borg-client_rsa.pub; } >> ~/.ssh/authorized_keys`` - Add borg-client's public key record to ~/.ssh/authorized_keys with force command and restrictions. - Client restricted to use specified repository path and to use only append operations. - The commands like *prune* and *compact* have to be executed another way, for example directly on *borg-server* side. + Add borg-client's ssh public key to ~/.ssh/authorized_keys with forced command and restricted mode. + The borg client is restricted to use a repo path below the specified path and to append-only operation. + Commands like *delete*, *prune* and *compact* have to be executed another way, for example directly on *borg-server* + side or from a privileged, less restricted client (using another authorized_keys entry). ``chmod go-w ~/.ssh/authorized_keys`` @@ -357,7 +363,7 @@ Do this once for each client on *borg-server* for allowing *borgs* to connect it Pull operation ~~~~~~~~~~~~~~ -Execute borg command (init repo in this example) on *borg-server*:: +Initiating borg command execution from *borg-server* (e.g. init):: borgs@borg-server$ ( eval $(ssh-agent) > /dev/null @@ -367,36 +373,36 @@ Execute borg command (init repo in this example) on *borg-server*:: kill "${SSH_AGENT_PID}" ) -Parentheses around commands are needed to exclude interferention with possibly already running ssh-agent. -Parentheses not needed in case of using dedicated bash process. +Parentheses around commands are needed to avoid interference with a possibly already running ssh-agent. +Parentheses are not needed when using a dedicated bash process. ``eval $(ssh-agent) > /dev/null`` - Run SSH agent in background and export related environment variables to current bash session. + Run the SSH agent in the background and export related environment variables to the current bash session. ``ssh-add -q ~/.ssh/borg-client_rsa`` - Load SSH private key dedicated to communication with borg-client to SSH agent. - Look at ``man 1 ssh-add`` for more detailed explanation. + Load the SSH private key dedicated to communication with the borg-client into the SSH agent. + Look at ``man 1 ssh-add`` for a more detailed explanation. .. note:: - Care needs to be taken when loading key to SSH agent. Users on the *borg-client* having read/write permissions to - agent's UNIX-domain socket (at least borgc and root in our case) can access the agent on *borg-server* through the - forwarded connection and use loaded keys for authenticate using the identities loaded into the agent + Care needs to be taken when loading keys into the SSH agent. Users on the *borg-client* having read/write permissions + to the agent's UNIX-domain socket (at least borgc and root in our case) can access the agent on *borg-server* through + the forwarded connection and can authenticate using any of the identities loaded into the agent (look at ``man 1 ssh`` for more detailed explanation). Therefore there are some security considerations: - * Private key loaded to agent must not be used to access anywhere else. - * The keys meant to be loaded to agent must be specified explicitly, not from default locations. - * The *borg-client*'s public key record at *borgs@borg-server:~/.ssh/authorized_keys* must be as restrictive as possible. + * Private keys loaded into the agent must not be used to enable access anywhere else. + * The keys meant to be loaded into the agent must be specified explicitly, not from default locations. + * The *borg-client*'s entry in *borgs@borg-server:~/.ssh/authorized_keys* must be as restrictive as possible. ``echo 'your secure borg key passphrase' | ssh -A -o StrictHostKeyChecking=no borgc@borg-client "BORG_PASSPHRASE=\$(cat) borg --rsh 'ssh -o StrictHostKeyChecking=no' init --encryption repokey ssh://borgs@borg-server/~/repo"`` - Issue *borg init* command to be executed at *borg-client*. + Run the *borg init* command on *borg-client*. - *ssh://borgs@borg-server/~/repo* is reference to repository *repo* located at borgs's home directory. + *ssh://borgs@borg-server/~/repo* refers to the repository *repo* within borgs's home directory on *borg-server*. - *StrictHostKeyChecking=no* used for automatically adding host keys to *~/.ssh/known_hosts* without user intervention. + *StrictHostKeyChecking=no* is used to automatically add host keys to *~/.ssh/known_hosts* without user intervention. ``kill "${SSH_AGENT_PID}"`` - Kill ssh-agent with loaded keys as it not needed anymore. + Kill ssh-agent with loaded keys when it is not needed anymore. From 9726b0c204070969ec0b8f048fc0ede13d743d18 Mon Sep 17 00:00:00 2001 From: "A. Korol" Date: Fri, 25 Sep 2020 18:49:19 +1000 Subject: [PATCH 5/6] Fix ssh-agent pull backup method doc --- docs/deployment/pull-backup.rst | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/deployment/pull-backup.rst b/docs/deployment/pull-backup.rst index 5e0ce191a9..97dcb4abd5 100644 --- a/docs/deployment/pull-backup.rst +++ b/docs/deployment/pull-backup.rst @@ -333,15 +333,15 @@ dedicated ssh key: :: borgs@borg-server$ install -m 700 -d ~/.ssh/ - borgs@borg-server$ ssh-keygen -N '' -t rsa -f ~/.ssh/borg-client_rsa - borgs@borg-server$ { echo -n 'command="borg serve --append-only --restrict-to-path ~/repo",restrict '; cat ~/.ssh/borg-client_rsa.pub; } >> ~/.ssh/authorized_keys - borgs@borg-server$ chmod go-w ~/.ssh/authorized_keys + borgs@borg-server$ ssh-keygen -N '' -t rsa -f ~/.ssh/borg-client_key + borgs@borg-server$ { echo -n 'command="borg serve --append-only --restrict-to-repo ~/repo",restrict '; cat ~/.ssh/borg-client_key.pub; } >> ~/.ssh/authorized_keys + borgs@borg-server$ chmod 600 ~/.ssh/authorized_keys ``install -m 700 -d ~/.ssh/`` Create directory ~/.ssh with correct permissions if it does not exist yet. -``ssh-keygen -N '' -t rsa -f ~/.ssh/borg-client_rsa`` +``ssh-keygen -N '' -t rsa -f ~/.ssh/borg-client_key`` Create an ssh key dedicated to communication with borg-client. @@ -349,14 +349,14 @@ dedicated ssh key: Another more complex approach is using a unique ssh key for each pull operation. This is more secure as it guarantees that the key will not be used for other purposes. -``{ echo -n 'command="borg serve --append-only --restrict-to-path ~/repo",restrict '; cat ~/.ssh/borg-client_rsa.pub; } >> ~/.ssh/authorized_keys`` +``{ echo -n 'command="borg serve --append-only --restrict-to-repo ~/repo",restrict '; cat ~/.ssh/borg-client_key.pub; } >> ~/.ssh/authorized_keys`` Add borg-client's ssh public key to ~/.ssh/authorized_keys with forced command and restricted mode. The borg client is restricted to use a repo path below the specified path and to append-only operation. Commands like *delete*, *prune* and *compact* have to be executed another way, for example directly on *borg-server* side or from a privileged, less restricted client (using another authorized_keys entry). -``chmod go-w ~/.ssh/authorized_keys`` +``chmod 600 ~/.ssh/authorized_keys`` Fix permissions of ~/.ssh/authorized_keys. @@ -367,7 +367,7 @@ Initiating borg command execution from *borg-server* (e.g. init):: borgs@borg-server$ ( eval $(ssh-agent) > /dev/null - ssh-add -q ~/.ssh/borg-client_rsa + ssh-add -q ~/.ssh/borg-client_key echo 'your secure borg key passphrase' | \ ssh -A -o StrictHostKeyChecking=no borgc@borg-client "BORG_PASSPHRASE=\$(cat) borg --rsh 'ssh -o StrictHostKeyChecking=no' init --encryption repokey ssh://borgs@borg-server/~/repo" kill "${SSH_AGENT_PID}" @@ -380,7 +380,7 @@ Parentheses are not needed when using a dedicated bash process. Run the SSH agent in the background and export related environment variables to the current bash session. -``ssh-add -q ~/.ssh/borg-client_rsa`` +``ssh-add -q ~/.ssh/borg-client_key`` Load the SSH private key dedicated to communication with the borg-client into the SSH agent. Look at ``man 1 ssh-add`` for a more detailed explanation. From 1953447489f5d83a0b5b0193d6b3c8b231a35c36 Mon Sep 17 00:00:00 2001 From: "A. Korol" Date: Fri, 25 Sep 2020 21:44:07 +1000 Subject: [PATCH 6/6] Fix ssh-agent pull backup method doc --- docs/deployment/pull-backup.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/deployment/pull-backup.rst b/docs/deployment/pull-backup.rst index 97dcb4abd5..e738b59bac 100644 --- a/docs/deployment/pull-backup.rst +++ b/docs/deployment/pull-backup.rst @@ -352,7 +352,7 @@ dedicated ssh key: ``{ echo -n 'command="borg serve --append-only --restrict-to-repo ~/repo",restrict '; cat ~/.ssh/borg-client_key.pub; } >> ~/.ssh/authorized_keys`` Add borg-client's ssh public key to ~/.ssh/authorized_keys with forced command and restricted mode. - The borg client is restricted to use a repo path below the specified path and to append-only operation. + The borg client is restricted to use one repo at the specified path and to append-only operation. Commands like *delete*, *prune* and *compact* have to be executed another way, for example directly on *borg-server* side or from a privileged, less restricted client (using another authorized_keys entry).