Remote access controls
When designing a backup plan, we must remember that if a malicious agent compromises your computer,
it may be able to delete your backups too. To solve this issue bupstash supports access controls on remote repositories
that can be configured on a per ssh key basis. To do this, we can utilize ssh force commands to restrict a backup client to
only run an instance of
bupstash serve that has limited permissions.
The following assumes you have a backup server with a user called
backups that has openssh sshd running,
and a client computer with an ssh client installed.
In an your sshd config file in your server add the line:
Match User backups
Create /bin/bupstash-put-force-command.sh on your server:
$ echo 'exec bupstash serve --allow-put /home/backups/bupstash-backups' > bupstash-put-force-command.sh
$ sudo cp bupstash-put-force-command.sh /bin/bupstash-put-force-command.sh
$ sudo chown root:root /bin/bupstash-put-force-command.sh
$ sudo chmod +x /bin/bupstash-put-force-command.sh
Next add an ssh key you intend to use for backups to
such that the user sending backups can connect to the remote server using ssh key based login.
Now when the backups user attempts to run a backup via ssh they are only able to
run the bupstash serve command with a hard coded set of permissions and
Now the client is only authorized to create new backups, but not list or remove them:
$ bupstash put ./files
$ bupstash list
server has disabled query and search for this client
bupstash serve command also supports allowing fetching data, entry removal and garbage collection. With these
options we can create a backup plan where clients can create new backups, and an administrator is able to cycle old backups
from the secure machine.