calestyo
commented
1 year ago I hadn't seen that this already exists with ssh_filter_btrbk.sh... π
Wasn't mentioned in the manpages... so I noticed only now. π
Thus closing.
Closed calestyo closed 1 year ago
calestyo
commented
1 year ago I hadn't seen that this already exists with ssh_filter_btrbk.sh... π
Wasn't mentioned in the manpages... so I noticed only now. π
Thus closing.
PrplHaz4
commented
1 year ago I hadn't seen that this already exists with
ssh_filter_btrbk.sh... πWasn't mentioned in the manpages... so I noticed only now. π
Thus closing.
Linking instructions here for posterity: https://github.com/digint/btrbk#restrict-commands-with-ssh_filter_btrbksh-optional
Hey.
A nice idea for hardening would be if there was a supported command wrapper script for the remote side.
The
authorized_keysfile would then read something like:regardless of what the accessing remote side would (try to) execute as command... it would be that command that was executed.
The
btrbk-ssh-command-warpperwould in turn call the the right remote command (e.g.btrfs receive)... of course it must do this carefully in order not to allow code injection (e.g. when it's a shell script).Now obviously some information would need to be passed from
btrbkto that wrapper, e.g. the path of the remote subvolume, or whether this issend-receiveorrawmode, etc..These could be passed via environment variables, which
sshdwould need to accept (viaAcceptEnv).A good protection, would however require more, namely, that the remote side itself can specify what is allowed to be done.
This could IMO be done via command line parameters to the
btrbk-ssh-command-warpperin theauthorized_keysfile, e.g.The
--receive-onlywould forbid to callbtrfs sendor any other commands thanbtrfs receiveon the remote side, preventing that a rogue server could fetch subvolumes from the remote side. The--receive-in /mnt/backups, would specify, that it must bes received in that path (perhaps multiple allowed)... I guess some prefix matching would need to be done there.The same could be done for the
btrfs send(when the server pulls from the remote side).Similar restrictions could be made for
rawmode.One could also fold the
--receive-in path,--send-from pathand some similar option forrawmode in one option (--pathname), and then allow only one of--receive-only,--send-only... and if people want to do both per server, they'd need to use different ssh keys (and thus commands).Many more features could be added in the future, e.g. the wrapper having some option that denies
receivewhen the disk usage of the target location has exceeded some quota, or when e.g. the fs has less than 10% free space.Cheers, Chris.