Remote access controls

When designing a backup plan, we must remember that if a malicious agent compromises your computer, it may be able to delete your backups too. To solve this issue bupstash supports access controls on remote repositories that can be configured on a per ssh key basis. To do this, we can utilize ssh force commands to restrict a backup client to only run an instance of bupstash serve that has limited permissions.

The following assumes you have a backup server with a user called backups that has openssh sshd running, and a client computer with an ssh client installed.

In an your sshd config file in your server add the line:

Match User backups
    ForceCommand "/bin/bupstash-put-force-command.sh"

Create /bin/bupstash-put-force-command.sh on your server:

$ echo 'exec bupstash serve --allow-put /home/backups/bupstash-backups' > bupstash-put-force-command.sh
$ sudo cp bupstash-put-force-command.sh /bin/bupstash-put-force-command.sh
$ sudo chown root:root /bin/bupstash-put-force-command.sh
$ sudo chmod +x /bin/bupstash-put-force-command.sh

Next add an ssh key you intend to use for backups to $SERVER/home/backups/.ssh/authorized_keys, such that the user sending backups can connect to the remote server using ssh key based login.

Now when the backups user attempts to run a backup via ssh they are only able to run the bupstash serve command with a hard coded set of permissions and repository path.

Now the client is only authorized to create new backups, but not list or remove them:

export BUPSTASH_REPOSITORY="ssh://backups@$SERVER/backups"
$ bupstash put ./files
...
$ bupstash list
server has disabled query and search for this client

The bupstash serve command also supports allowing fetching data, entry removal and garbage collection. With these options we can create a backup plan where clients can create new backups, and an administrator is able to cycle old backups from the secure machine.

Jump to