Date: Thu, 8 Mar 2001 19:46:37 +0100 (CET) From: Attila Nagy <bra@fsn.hu> To: Mike Tancsa <mike@sentex.net> Cc: <freebsd-security@freebsd.org> Subject: Re: "write only" fs/files ? Message-ID: <Pine.BSO.4.33.0103081933260.11180-100000@k2.jozsef.kando.hu> In-Reply-To: <5.0.2.1.0.20010308130831.03074aa0@marble.sentex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, > For UNIX users, rsync over ssh to a unique userID per server is one > thought. For Win32 boxes, some combo of samba perhaps through PTPTP. There is rsync for windows too. Or to be correct it is written for UNIX, but somebody compiled it for win32... You can even use rsync over ssh with windows (like with putty's plink, or something similar). > This way if their box gets compromised after the backup, they dont > have access to the data before it gets offloaded to tape. If you choose to use rsync over ssh you can use the following method: - use RSA (or DSA) keys to authenticate. Since you are going to do regular backups this is the standard case, because in this way you won't have to give passwords - on the backup server place an authorized_keys file into the users' home: ~backupuser001/.ssh/authorized_keys(2 in the DSA case): command="rsync --server -vlgtpr --delete . \ /datadir/",no-port-forwarding,no-X11-forwarding,no-agent-forwarding, \ no-pty [key] - on the client make an RSA (DSA) key with no password and do the backup in this way: # rsync --delete -va -e ssh / backupuser001@backupserver:/datadir/ - after everything works OK, place the above into cron or a user triggered file and mail its output to anybody. - on the backupserver make a backup of the backup :) I mean copy all the files to another directory [tape], with a timestamp, or anything, so you can make sure that the files couldn't be overwritten maliciously. You could use for the latter task UFS's coming snapshot function, but I think it is wise to wait with that yet... ps: if you need extra protection and manual backups, you can use password protected keys, and/or you can authenticate with rsync too... Hope this helps, -------------------------------------------------------------------------- Attila Nagy e-mail: Attila.Nagy@fsn.hu Budapest Polytechnic (BMF.HU) @work: +361 210 1415 (194) H-1084 Budapest, Tavaszmezo u. 15-17. cell.: +3630 306 6758 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSO.4.33.0103081933260.11180-100000>