Browse Source

new: [rsync-backup-target] allow backup account to request a recovery key

Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
upd-docker
Valentin Lab 4 years ago
parent
commit
071cbeb18a
  1. 22
      rsync-backup-target/README.org
  2. 2
      rsync-backup-target/build/src/usr/local/sbin/request-recovery-key
  3. 4
      rsync-backup-target/build/src/usr/local/sbin/ssh-cmd-validate

22
rsync-backup-target/README.org

@ -39,6 +39,7 @@ rsync-backup-target:
6TlHIFw936C2ZiTBuofMx7yoAeqpifyzz/T5wsFLYWwSnX rsync@zen" 6TlHIFw936C2ZiTBuofMx7yoAeqpifyzz/T5wsFLYWwSnX rsync@zen"
#+end_src #+end_src
* ssh API
** Adding new keys for backup ** Adding new keys for backup
This can be done through the admin accounts configured in =compose.yml=. This can be done through the admin accounts configured in =compose.yml=.
@ -57,6 +58,8 @@ $
** Requesting a recover only key ** Requesting a recover only key
*** as an admin
As an admin, by requesting a recover-only key on an ident that you As an admin, by requesting a recover-only key on an ident that you
own, you are allowed to read (and only read) the content of the given own, you are allowed to read (and only read) the content of the given
ident. This will allow you to give the credentials to any new host to ident. This will allow you to give the credentials to any new host to
@ -73,6 +76,25 @@ $ rsync -e "ssh -p 22 -i /tmp/private_key -l rsync" \
This key will expire after 15 mn of the last recovery. This key will expire after 15 mn of the last recovery.
*** as a standard backup account
With a standard backup account, you can log on as =rsync= user and
request without any arguments a recovery key. Indeed, every standard
backup account is tied to one backup identifier only. So the recover
key received will be for this backup identifier only.
You'll probably want to use the received key from another computer to
restore the backup for instance.
#+begin_example
$ ssh rsync@$RSYNC_BACKUP_TARGET request-recovery-key > /tmp/private_key
$ chmod 500 /tmp/private_key
$ rsync -e "ssh -p 22 -i /tmp/private_key -l rsync" \
-azvArH --delete --delete-excluded \
--partial --partial-dir .rsync-partial \
--numeric-ids $RSYNC_BACKUP_TARGET:/var/mirror/myident/etc/ /tmp/etc
#+end_example
* Troubleshooting * Troubleshooting

2
rsync-backup-target/build/src/usr/local/sbin/request-recovery-key

@ -50,7 +50,7 @@ request-recovery-key() {
local label="$1" ident="$2" key public_key local label="$1" ident="$2" key public_key
## Admin should have claimed the ident with at least one backup key ## Admin should have claimed the ident with at least one backup key
if ! [ -e "${RSYNC_KEY_PATH}/backup/$label/$ident.pub" ]; then
if [ -n "$label" ] && ! [ -e "${RSYNC_KEY_PATH}/backup/$label/$ident.pub" ]; then
echo "Error: Current admin '$label' has no ident '$ident' claimed." >&2 echo "Error: Current admin '$label' has no ident '$ident' claimed." >&2
return 1 return 1
fi fi

4
rsync-backup-target/build/src/usr/local/sbin/ssh-cmd-validate

@ -77,6 +77,10 @@ elif [[ "$SSH_ORIGINAL_COMMAND" =~ ^"rsync --server --sender -"[vnloHgDtpArRzCei
log "ACCEPTED RECOVER COMMAND: $SSH_ORIGINAL_COMMAND" log "ACCEPTED RECOVER COMMAND: $SSH_ORIGINAL_COMMAND"
exec sudo "${ssh_args[@]}" exec sudo "${ssh_args[@]}"
elif [[ "$SSH_ORIGINAL_COMMAND" =~ ^"request-recovery-key"$ ]]; then
log "ACCEPTED RECOVERY KEY REQUEST: $SSH_ORIGINAL_COMMAND"
exec sudo /usr/local/sbin/request-recovery-key "" "$ident"
else else
log "REFUSED COMMAND AS IT DOESN'T MATCH ANY EXPECTED COMMAND" log "REFUSED COMMAND AS IT DOESN'T MATCH ANY EXPECTED COMMAND"
reject reject

Loading…
Cancel
Save