Make sure that rsync is installed on the server:
apt install rsync
Create a backup user, for example backup1
:
useradd backup1 -m
ls -al /home/backup1/
Create a ssh key-pair for this user:
ssh-keygen -t ecdsa -P '' -q -f key1
ls -l key1*
cat key1
cat key1.pub
Add the public key to /home/backup1/.ssh/authorized_keys
:
mkdir -p /home/backup1/.ssh
chown backup1: /home/backup1/.ssh
chmod 700 /home/backup1/.ssh
cat key1.pub >> /home/backup1/.ssh/authorized_keys
chown backup1: /home/backup1/.ssh/authorized_keys
chmod 600 /home/backup1/.ssh/authorized_keys
ls -al /home/backup1/.ssh/
cat /home/backup1/.ssh/authorized_keys
Try to login with this key:
ssh -p 22 -i key1 backup1@localhost
You should be able to login without a password.
Try to copy something:
mkdir -p /home/backup1/test1
touch /home/backup1/test1/file1.txt
touch /home/backup1/test1/file2.txt
ls -al /home/backup1/test1
rsync -a -e "ssh -p 22 -i key1" backup1@localhost:~/test1 .
ls -al test1
Let’s find out the command that the client is sending to the server through SSH.
Let’s try the same rsync command again, with the added SSH switch -v
(verbose):
rsync -a -e "ssh -p 22 -i key1 -v" backup1@localhost:~/test1 .
Then let’s look for the debug line that says “Sending command”:
rsync -a -e "ssh -p 22 -i key1 -v" backup1@localhost:~/test1 . 2>&1 | grep "Sending command"
It should be something like this:
rsync --server --sender -logDtpre.iLsfxC . ~/test1
We can restrict the SSH key key1
to execute only this command and nothing else.
For this we need to add something like this before the public key on /home/backup1/.ssh/authorized_keys
:
command="rsync --server --sender -logDtpre.iLsfxC . ~/test1" ecdsa-sha2-nistp256 AAAAE2Vj....
To make it even more secure, we can also add the options no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding
. The file /home/backup1/.ssh/authorized_keys
now should look like this:
command="rsync --server --sender -logDtpre.iLsfxC . ~/test1",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMbMdR9uW4SMeinpVvr6UQZaFybkiVZxm2DRYxFlCuxHchpTMGR7U4gZGZwY4D5LQDDy1Py4TWSsEizda4LecgQ= root@server
Let’s check that now we cannot login with key1
anymore, but we can still use it to rsync
:
ssh -p 22 -i key1 backup1@localhost # should fail
rm -rf test1
rsync -a -e "ssh -p 22 -i key1" backup1@localhost:~/test1 .
ls -l test1
rm -rf test1
rsync -a -e "ssh -p 22 -i key1" backup1@localhost: .
ls -l test1
For convenience, we can combine the command and the key in a bash script that looks like this:
#!/bin/bash
server=127.0.0.1
port=22
rsync -a -e "ssh -p $port -i $0" backup1@${server}: .
exit 0
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIGHMv+mlPZg/V6TmLADsfZcpMRcfxykJGzXAF65tuQ4AoAoGCCqGSM49
AwEHoUQDQgAExsx1H25bhIx6KelW+vpRBloXJuSJVnGbYNFjEWUK7EdyGlMwZHtT
iBkZnBjgPktAMPLU/LhNZKwSLN1rgt5yBA==
-----END EC PRIVATE KEY-----
Let’s try it:
chmod 700 backup1.sh
rm -rf test1/
./backup1.sh
ls -l test1/
Now we can move this script to the client (backup server), making sure to change
the variable server
with the IP of the server, and it should work.
To change the directory on the server that is being backed up, we should change it
on /home/backup1/.ssh/authorized_keys
(for example from ~/test1
to /var/backup
,
or anything else where the user backup1
has read access).
To backup a second directory we can create a second SSH key, append it to
/home/backup1/.ssh/authorized_keys
, and create a second backup script.