From 071cbeb18a74f15297e24d6310d9775cc80538c8 Mon Sep 17 00:00:00 2001 From: Valentin Lab Date: Thu, 13 May 2021 10:03:02 +0200 Subject: [PATCH] new: [rsync-backup-target] allow backup account to request a recovery key Signed-off-by: Valentin Lab --- rsync-backup-target/README.org | 22 +++++++++++++++++++ .../src/usr/local/sbin/request-recovery-key | 2 +- .../build/src/usr/local/sbin/ssh-cmd-validate | 4 ++++ 3 files changed, 27 insertions(+), 1 deletion(-) diff --git a/rsync-backup-target/README.org b/rsync-backup-target/README.org index 1d3ef3b..bc8c629 100644 --- a/rsync-backup-target/README.org +++ b/rsync-backup-target/README.org @@ -39,6 +39,7 @@ rsync-backup-target: 6TlHIFw936C2ZiTBuofMx7yoAeqpifyzz/T5wsFLYWwSnX rsync@zen" #+end_src +* ssh API ** Adding new keys for backup This can be done through the admin accounts configured in =compose.yml=. @@ -57,6 +58,8 @@ $ ** Requesting a recover only key +*** as an admin + As an admin, by requesting a recover-only key on an ident that you own, you are allowed to read (and only read) the content of the given ident. This will allow you to give the credentials to any new host to @@ -73,6 +76,25 @@ $ rsync -e "ssh -p 22 -i /tmp/private_key -l rsync" \ This key will expire after 15 mn of the last recovery. +*** as a standard backup account + +With a standard backup account, you can log on as =rsync= user and +request without any arguments a recovery key. Indeed, every standard +backup account is tied to one backup identifier only. So the recover +key received will be for this backup identifier only. + +You'll probably want to use the received key from another computer to +restore the backup for instance. + +#+begin_example +$ ssh rsync@$RSYNC_BACKUP_TARGET request-recovery-key > /tmp/private_key +$ chmod 500 /tmp/private_key +$ rsync -e "ssh -p 22 -i /tmp/private_key -l rsync" \ + -azvArH --delete --delete-excluded \ + --partial --partial-dir .rsync-partial \ + --numeric-ids $RSYNC_BACKUP_TARGET:/var/mirror/myident/etc/ /tmp/etc +#+end_example + * Troubleshooting diff --git a/rsync-backup-target/build/src/usr/local/sbin/request-recovery-key b/rsync-backup-target/build/src/usr/local/sbin/request-recovery-key index 2a707ad..40df8df 100755 --- a/rsync-backup-target/build/src/usr/local/sbin/request-recovery-key +++ b/rsync-backup-target/build/src/usr/local/sbin/request-recovery-key @@ -50,7 +50,7 @@ request-recovery-key() { local label="$1" ident="$2" key public_key ## Admin should have claimed the ident with at least one backup key - if ! [ -e "${RSYNC_KEY_PATH}/backup/$label/$ident.pub" ]; then + if [ -n "$label" ] && ! [ -e "${RSYNC_KEY_PATH}/backup/$label/$ident.pub" ]; then echo "Error: Current admin '$label' has no ident '$ident' claimed." >&2 return 1 fi diff --git a/rsync-backup-target/build/src/usr/local/sbin/ssh-cmd-validate b/rsync-backup-target/build/src/usr/local/sbin/ssh-cmd-validate index 017ada9..8e05a2d 100755 --- a/rsync-backup-target/build/src/usr/local/sbin/ssh-cmd-validate +++ b/rsync-backup-target/build/src/usr/local/sbin/ssh-cmd-validate @@ -77,6 +77,10 @@ elif [[ "$SSH_ORIGINAL_COMMAND" =~ ^"rsync --server --sender -"[vnloHgDtpArRzCei log "ACCEPTED RECOVER COMMAND: $SSH_ORIGINAL_COMMAND" exec sudo "${ssh_args[@]}" +elif [[ "$SSH_ORIGINAL_COMMAND" =~ ^"request-recovery-key"$ ]]; then + log "ACCEPTED RECOVERY KEY REQUEST: $SSH_ORIGINAL_COMMAND" + + exec sudo /usr/local/sbin/request-recovery-key "" "$ident" else log "REFUSED COMMAND AS IT DOESN'T MATCH ANY EXPECTED COMMAND" reject