Remote access controls
When designing a backup plan, we must remember that if a malicious agent compromises your computer,
it may be able to delete your backups too. To solve this issue bupstash supports access controls on remote repositories
that can be configured on a per ssh key basis. To do this, we can utilize ssh force commands to restrict a backup client to
only run an instance of bupstash serve
that has limited permissions.
The following assumes you have a backup server with a user called backups
that has openssh sshd running,
and a client computer with an ssh client installed.
In an your sshd config file in your server add the line:
Match User backups
ForceCommand "/bin/bupstash-put-force-command.sh"
Create /bin/bupstash-put-force-command.sh on your server:
$ echo 'exec bupstash serve --allow-put /home/backups/bupstash-backups' > bupstash-put-force-command.sh
$ sudo cp bupstash-put-force-command.sh /bin/bupstash-put-force-command.sh
$ sudo chown root:root /bin/bupstash-put-force-command.sh
$ sudo chmod +x /bin/bupstash-put-force-command.sh
Next add an ssh key you intend to use for backups to $SERVER/home/backups/.ssh/authorized_keys
,
such that the user sending backups can connect to the remote server using ssh key based login.
Now when the backups user attempts to run a backup via ssh they are only able to
run the bupstash serve command with a hard coded set of permissions and
repository path.
Now the client is only authorized to create new backups, but not list or remove them:
export BUPSTASH_REPOSITORY="ssh://backups@$SERVER/backups"
$ bupstash put ./files
...
$ bupstash list
server has disabled query and search for this client
The bupstash serve
command also supports allowing fetching data, entry removal and garbage collection. With these
options we can create a backup plan where clients can create new backups, and an administrator is able to cycle old backups
from the secure machine.