forked from 0k/0k-charms
Browse Source
new: [rsync-backup-target] allow dynamic management of backup keys
new: [rsync-backup-target] allow dynamic management of backup keys
Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>pull/1/head
Valentin Lab
4 years ago
10 changed files with 337 additions and 21 deletions
-
84rsync-backup-target/README.org
-
13rsync-backup-target/build/entrypoint.sh
-
1rsync-backup-target/build/src/etc/sudoers.d/rsync
-
79rsync-backup-target/build/src/usr/local/sbin/ssh-admin-cmd-validate
-
108rsync-backup-target/build/src/usr/local/sbin/ssh-key
-
41rsync-backup-target/build/src/usr/local/sbin/ssh-update-keys
-
11rsync-backup-target/hooks/init
-
16rsync-backup-target/hooks/log_rotate-relation-joined
-
1rsync-backup-target/metadata.yml
-
4rsync-backup-target/resources/bin/compose-add-rsync-key
@ -0,0 +1,84 @@ |
|||
#+PROPERTY: Effort_ALL 0 0:30 1:00 2:00 0.5d 1d 1.5d 2d 3d 4d 5d |
|||
#+PROPERTY: Max_effort_ALL 0 0:30 1:00 2:00 0.5d 1d 1.5d 2d 3d 4d 5d |
|||
#+PROPERTY: header-args:python :var filename=(buffer-file-name) |
|||
#+PROPERTY: header-args:sh :var filename=(buffer-file-name) |
|||
#+TODO: TODO WIP BLOCKED | DONE CANCELED |
|||
#+LATEX_HEADER: \usepackage[margin=0.5in]{geometry} |
|||
#+LaTeX_HEADER: \hypersetup{linktoc = all, colorlinks = true, urlcolor = DodgerBlue4, citecolor = PaleGreen1, linkcolor = blue} |
|||
#+LaTeX_CLASS: article |
|||
#+OPTIONS: H:8 ^:nil prop:("Effort" "Max_effort") tags:not-in-toc |
|||
#+COLUMNS: %50ITEM %Effort(Min Effort) %Max_effort(Max Effort) |
|||
|
|||
#+TITLE: rsync-backup-target |
|||
|
|||
#+LATEX: \pagebreak |
|||
|
|||
Usage of this service |
|||
|
|||
#+LATEX: \pagebreak |
|||
|
|||
#+LATEX: \pagebreak |
|||
|
|||
|
|||
* Configuration example |
|||
|
|||
|
|||
#+begin_src yaml |
|||
rsync-backup-target: |
|||
# docker-compose: |
|||
# ports: |
|||
# - "10023:22" |
|||
options: |
|||
admin: ## These keys are for the allowed rsync-backup to write stuff with rsync |
|||
myadmin: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDESdz8bWtVcDQJ68IE/KpuZM9tAq\ |
|||
ZDXGbvEVnTg16/yWqBGQg0QZdDjISsPn7D3Zr64g2qgD9n7EZghfGP9TkitvfrBYx8p\ |
|||
7JkkUyt8nxklwOlKZFD5b3PF2bHloSsmjnP8ZMp5Ar7E+tn1guGrCrTcFIebpVGR3qF\ |
|||
hRN9AlWNR+ekWo88ZlLJIrqD26jbWRJZm4nPCgqwhJwfHE3aVwfWGOqjSp4ij+jr2ac\ |
|||
Arg7eD4clBPYIqKlqbfNRD5MFAH9sbB6jkebQCAUwNRwV7pKwCEt79HnCMoMjnZh6Ww\ |
|||
6TlHIFw936C2ZiTBuofMx7yoAeqpifyzz/T5wsFLYWwSnX rsync@zen" |
|||
#+end_src |
|||
|
|||
** Adding new keys for backup |
|||
|
|||
This can be done through the admin accounts configured in =compose.yml=. |
|||
|
|||
You can use then =ssh myadmin@$RSYNC_BACKUP_TARGET ssh-key=: |
|||
|
|||
#+begin_example |
|||
$ ssh myadmin@$RSYNC_BACKUP_TARGET ssh-key ls |
|||
$ ssh myadmin@$RSYNC_BACKUP_TARGET ssh-key add "ssh-rsa AAA...Jdhwhv rsync@sourcelabel" |
|||
$ ssh myadmin@$RSYNC_BACKUP_TARGET ssh-key ls |
|||
..Jdhwhv sourcelabel |
|||
$ ssh myadmin@$RSYNC_BACKUP_TARGET ssh-key rm sourcelabel |
|||
$ ssh myadmin@$RSYNC_BACKUP_TARGET ssh-key ls |
|||
$ |
|||
#+end_example |
|||
|
|||
|
|||
* Troubleshooting |
|||
|
|||
** Faking access from client |
|||
|
|||
This should work: |
|||
|
|||
#+begin_src sh |
|||
RSYNC_BACKUP_TARGET_IP=172.18.0.2 |
|||
rsync -azvA -e "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" \ |
|||
/tmp/toto "$RSYNC_BACKUP_TARGET":/var/mirror/client1 |
|||
#+end_src |
|||
|
|||
** Direct ssh access should be refused |
|||
|
|||
#+begin_src sh |
|||
RSYNC_BACKUP_TARGET_IP=172.18.0.2 |
|||
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \ |
|||
"$RSYNC_BACKUP_TARGET" |
|||
#+end_src |
|||
|
|||
** Wrong directory should be refused |
|||
|
|||
#+begin_src sh |
|||
RSYNC_BACKUP_TARGET_IP=172.18.0.2 |
|||
rsync -azvA -e "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" \ |
|||
/tmp/toto "$RSYNC_BACKUP_TARGET":/var/mirror/client2 |
|||
#+end_src |
@ -0,0 +1,79 @@ |
|||
#!/bin/bash |
|||
|
|||
## Note that the shebang is not used, but it's the login shell that |
|||
## will execute this command. |
|||
|
|||
exname=$(basename "$0") |
|||
|
|||
mkdir -p /var/log/rsync |
|||
|
|||
LOG="/var/log/rsync/$exname.log" |
|||
|
|||
|
|||
ssh_connection=(${SSH_CONNECTION}) |
|||
SSH_SOURCE_IP="${ssh_connection[0]}:${ssh_connection[1]}" |
|||
|
|||
log() { |
|||
printf "%s [%s] %s - %s\n" \ |
|||
"$(date --rfc-3339=seconds)" "$$" "$SSH_SOURCE_IP" "$*" \ |
|||
>> "$LOG" |
|||
} |
|||
|
|||
log "NEW ADMIN CONNECTION" |
|||
|
|||
reject() { |
|||
log "REJECTED: $SSH_ORIGINAL_COMMAND" |
|||
# echo "ORIG: $SSH_ORIGINAL_COMMAND" >&2 |
|||
echo "Your command has been rejected and reported to sys admin." >&2 |
|||
exit 1 |
|||
} |
|||
|
|||
|
|||
if [[ "$SSH_ORIGINAL_COMMAND" =~ [\&\(\{\;\<\>\`\$\}] ]]; then |
|||
log "BAD CHARS DETECTED" |
|||
# echo "Bad chars: $SSH_ORIGINAL_COMMAND" >&2 |
|||
reject |
|||
fi |
|||
|
|||
if [[ "$SSH_ORIGINAL_COMMAND" =~ ^"ssh-key add ssh-rsa "[a-zA-Z0-9/+]+" "[a-zA-Z0-9._-]+"@"[a-zA-Z0-9._-]+""$ ]]; then |
|||
log "ACCEPTED: $SSH_ORIGINAL_COMMAND" |
|||
|
|||
## Interpret \ to allow passing spaces (want to avoid possible issue with \n) |
|||
#read -a ssh_args <<< "${SSH_ORIGINAL_COMMAND}" |
|||
ssh_args=(${SSH_ORIGINAL_COMMAND}) |
|||
|
|||
# echo "Would accept: $SSH_ORIGINAL_COMMAND" >&2 |
|||
exec sudo /usr/local/sbin/ssh-key "${ssh_args[@]:1}" |
|||
elif [[ "$SSH_ORIGINAL_COMMAND" =~ ^"ssh-key ls"$ ]]; then |
|||
log "ACCEPTED: $SSH_ORIGINAL_COMMAND" |
|||
|
|||
## Interpret \ to allow passing spaces (want to avoid possible issue with \n) |
|||
#read -a ssh_args <<< "${SSH_ORIGINAL_COMMAND}" |
|||
ssh_args=(${SSH_ORIGINAL_COMMAND}) |
|||
|
|||
# echo "Would accept: $SSH_ORIGINAL_COMMAND" >&2 |
|||
exec /usr/local/sbin/ssh-key "${ssh_args[@]:1}" |
|||
elif [[ "$SSH_ORIGINAL_COMMAND" =~ ^"ssh-key rm "[a-zA-Z0-9._-]+$ ]]; then |
|||
log "ACCEPTED: $SSH_ORIGINAL_COMMAND" |
|||
|
|||
## Interpret \ to allow passing spaces (want to avoid possible issue with \n) |
|||
#read -a ssh_args <<< "${SSH_ORIGINAL_COMMAND}" |
|||
ssh_args=(${SSH_ORIGINAL_COMMAND}) |
|||
|
|||
# echo "Would accept: $SSH_ORIGINAL_COMMAND" >&2 |
|||
exec sudo /usr/local/sbin/ssh-key "${ssh_args[@]:1}" |
|||
else |
|||
|
|||
log "NOT MATCHING ANY ALLOWED COMMAND" |
|||
reject |
|||
fi |
|||
|
|||
## For other commands, like `find` or `md5`, that could be used to |
|||
## challenge the backups and check that archive is actually |
|||
## functional, I would suggest to write a simple command that takes no |
|||
## arguments, so as to prevent allowing wildcards or suspicious |
|||
## contents. Letting `find` go through is dangerous for instance |
|||
## because of the `-exec`. And path traversal can be done also when |
|||
## allowing /my/path/* by using '..'. This is why a fixed purpose |
|||
## embedded executable will be much simpler to handle, and to be honest |
|||
## we don't need much more. |
@ -0,0 +1,108 @@ |
|||
#!/bin/bash |
|||
|
|||
RSYNC_KEY_PATH=/etc/rsync/keys |
|||
|
|||
|
|||
ANSI_ESC=$'\e[' |
|||
|
|||
NORMAL="${ANSI_ESC}0m" |
|||
|
|||
GRAY="${ANSI_ESC}1;30m" |
|||
RED="${ANSI_ESC}1;31m" |
|||
GREEN="${ANSI_ESC}1;32m" |
|||
YELLOW="${ANSI_ESC}1;33m" |
|||
BLUE="${ANSI_ESC}1;34m" |
|||
PINK="${ANSI_ESC}1;35m" |
|||
CYAN="${ANSI_ESC}1;36m" |
|||
WHITE="${ANSI_ESC}1;37m" |
|||
|
|||
DARKGRAY="${ANSI_ESC}0;30m" |
|||
DARKRED="${ANSI_ESC}0;31m" |
|||
DARKGREEN="${ANSI_ESC}0;32m" |
|||
DARKYELLOW="${ANSI_ESC}0;33m" |
|||
DARKBLUE="${ANSI_ESC}0;34m" |
|||
DARKPINK="${ANSI_ESC}0;35m" |
|||
DARKCYAN="${ANSI_ESC}0;36m" |
|||
DARKWHITE="${ANSI_ESC}0;37m" |
|||
|
|||
|
|||
ssh-key-ls() { |
|||
local f content |
|||
for f in "${RSYNC_KEY_PATH}"/backup/*.pub; do |
|||
[ -e "$f" ] || continue |
|||
ident=${f##*/} |
|||
ident=${ident%.pub} |
|||
content=$(cat "$f") |
|||
key=${content#* } |
|||
key=${key% *} |
|||
printf "${DARKGRAY}..${NORMAL}%24s ${DARKCYAN}%s${NORMAL}\n" "${key: -24}" "$ident" |
|||
done |
|||
} |
|||
|
|||
|
|||
ssh-key-rm() { |
|||
local ident="$1" delete |
|||
|
|||
delete="${RSYNC_KEY_PATH}/backup/$ident.pub" |
|||
if ! [ -e "$delete" ]; then |
|||
echo "Error: key '$ident' not found." >&2 |
|||
return 1 |
|||
fi |
|||
rm "$delete" |
|||
|
|||
/usr/local/sbin/ssh-update-keys |
|||
} |
|||
|
|||
|
|||
ssh-key-add() { |
|||
local type="$1" key="$2" email="$3" |
|||
|
|||
[ "$1" == "ssh-rsa" ] || { |
|||
echo "Error: expecting ssh-rsa key type" >&2 |
|||
return 1 |
|||
} |
|||
|
|||
## ident are unique by construction (they are struct keys) |
|||
## but keys need to be also unique |
|||
declare -A keys |
|||
mkdir -p "${RSYNC_KEY_PATH}/backup" |
|||
content="$type $key $email" |
|||
ident="${email##*@}" |
|||
target="${RSYNC_KEY_PATH}/backup/$ident.pub" |
|||
if [ -e "$target" ]; then |
|||
old_content=$(cat "$target") |
|||
if [ "$content" == "$old_content" ]; then |
|||
echo "Provided key already present for '$ident'." >&2 |
|||
return 0 |
|||
fi |
|||
echo "Replacing key for '$ident'." >&2 |
|||
fi |
|||
echo "$content" > "$target" |
|||
|
|||
/usr/local/sbin/ssh-update-keys |
|||
} |
|||
|
|||
|
|||
|
|||
|
|||
case "$1" in |
|||
"add") |
|||
shift |
|||
ssh-key-add "$@" |
|||
;; |
|||
"rm") |
|||
shift |
|||
ssh-key-rm "$@" |
|||
;; |
|||
"ls") |
|||
shift |
|||
ssh-key-ls "$@" |
|||
;; |
|||
*) |
|||
echo "Unknown command '$1'." |
|||
;; |
|||
esac |
|||
|
|||
|
|||
|
|||
|
@ -0,0 +1,41 @@ |
|||
#!/bin/bash |
|||
|
|||
|
|||
## |
|||
## code |
|||
## |
|||
|
|||
KEYS=/etc/rsync/keys |
|||
RSYNC_HOME=/var/lib/rsync |
|||
|
|||
mkdir -p "$RSYNC_HOME/.ssh" |
|||
|
|||
## |
|||
## New |
|||
## |
|||
|
|||
touch "$RSYNC_HOME"/.ssh/authorized_keys.new |
|||
|
|||
for f in "$KEYS"/backup/*.pub; do |
|||
[ -e "$f" ] || continue |
|||
content=$(cat "$f") |
|||
ident="${f##*/}" |
|||
ident="${ident%.pub}" |
|||
if ! [[ "$ident" =~ ^[a-zA-Z0-9._-]+$ ]]; then |
|||
echo "bad: '$ident'" >&2 |
|||
continue |
|||
fi |
|||
echo "command=\"/usr/local/sbin/ssh-cmd-validate \\\"$ident\\\"\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $content" |
|||
done >> "$RSYNC_HOME"/.ssh/authorized_keys.new |
|||
|
|||
for f in "$KEYS"/admin/*.pub; do |
|||
[ -e "$f" ] || continue |
|||
content=$(cat "$f") |
|||
echo "command=\"/usr/local/sbin/ssh-admin-cmd-validate\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $content" |
|||
done >> "$RSYNC_HOME"/.ssh/authorized_keys.new |
|||
|
|||
mv "$RSYNC_HOME"/.ssh/authorized_keys{,.old} |
|||
mv "$RSYNC_HOME"/.ssh/authorized_keys{.new,} |
|||
|
|||
chown rsync:rsync -R "$RSYNC_HOME"/.ssh -R |
|||
|
Write
Preview
Loading…
Cancel
Save
Reference in new issue