Are there some recommended restrictions to be applied to ssh public keys on borg servers?

borgbackup / borg

Deduplicating archiver with compression and authenticated encryption.

https://www.borgbackup.org/

Other

10.97k stars 741 forks source link

Are there some recommended restrictions to be applied to ssh public keys on borg servers? #4946

Closed vonHabsi closed 4 years ago

vonHabsi commented 4 years ago

A number of server utilities which use SSH apply to some restrictions to the ssh public keys of clients. Gitolite for instances uses command="/usr/bin/gitolite/src/gitolite-shell username",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty.

Do you have some similar recommendations for borg, on both server and client?

Are there some general server hardening guides for borg servers?

infectormp commented 4 years ago

Look at the docs here https://borgbackup.readthedocs.io/en/stable/usage/serve.html and here https://borgbackup.readthedocs.io/en/stable/deployment/hosting-repositories.html

enkore commented 4 years ago

The docs linked above recommend "restrict", which is easy to overlook. It includes all of the above restrictions (and any added in the future).

restrict Enable all restrictions, i.e. disable port, agent and X11 forwarding, as well as disabling PTY allocation and exe‐ cution of ~/.ssh/rc. If any future restriction capabilities are added to authorized_keys files they will be in‐ cluded in this set.