Applying SSH Restrictions

Now that we've given the backup machine full access to the target machine lets add a little access control. Luckily ssh provides us with some good mechanisms. Thankfully Brian Hatch has written some good articles too.

Step 1: grab the perl script [=authprogs] from http://www.hackinglinuxexposed.com/tools/authprogs/src/ and install it in [=/usr/local/bin] with execute permissions.

Step 2: Change the [=authorized_keys] file to look something like:

  no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,from="backup",
  command="/usr/local/bin/authprogs" ssh-rsa AAAAB3NzaC1yc2EAAAABIw...

Step 3: Create a [=.ssh/authprogs.conf] file like:

 [ backup ]
       rsync --server --sender -vlHogDtprx --numeric-ids . /

[=/] was the [=Tree] in the vault configuration file.

Depending what options you put in your dirvish configuration files this command may alter. If it does not work the [=.ssh/authprogs.log] will show you what command was attempted to be executed. Once you know this just alter your [=.ssh/authprogs.conf] appropriately.

Multiple commands are allowed here. See the [Hacking Linux Exposed Articles http://www.hackinglinuxexposed.com/articles/20030115.html] for details.

Step 4: feel happy that only a backup can be performed from your backup server and not unrestricted access to your target machine.

Repeat this procedure for each host you wish to access over the network using the ssh transport, the default used with Dirvish.

Designed to be read in conjunction with the Transport Section

Dirvish guide.

Note: If you are going to be using pre/post-client scripts, and limiting them with authprogs, authprogs will reject the command every time because of the environment variables that Dirvish includes in every command. You can apply the following patch to authprogs to remove the environment variables prior to comparing the command. Also note that pre-client scripts usually include a "cd /<tree>; " prior to whatever command you're running, so include that in your authprogs.conf line (check authprogs.log)

 171a172,177
 >       # Remove Dirvish environment variables from the command
 >       # 2007-10-19: Roberto Mello (http://blog.divisiblebyfour.org/)
 > 
 >       my $NO_DIRVISH_CLIENT_COMMAND = $CLIENT_COMMAND;
 >       $NO_DIRVISH_CLIENT_COMMAND =~ s/(DIRVISH_[^=]+=[^\s]+ )*//g;
 > 
 186a193
 >       log 4, " Dirvish-less Client command:  $NO_DIRVISH_CLIENT_COMMAND\n";
 188c195
 <       if ( $allowed_command_sans_quotes eq $CLIENT_COMMAND ) {
 ---
 >       if (( $allowed_command_sans_quotes eq $CLIENT_COMMAND ) or ( $allowed_command_sans_quotes eq $NO_DIRVISH_CLIENT_COMMAND )) {

ApplyingSSHRestrictions (last edited 2011-01-24 02:52:38 by pool-72-90-106-232)