From 4216dfd12d041158b63dc6c7ecb843442e794e3e Mon Sep 17 00:00:00 2001 From: Dominik Stadler Date: Sun, 2 Apr 2023 10:46:31 +0200 Subject: [PATCH 1/5] Describe performing pull-backups via ssh remote forwarding --- docs/deployment/pull-backup.rst | 58 +++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/docs/deployment/pull-backup.rst b/docs/deployment/pull-backup.rst index ce593cdb7..bceb37ba8 100644 --- a/docs/deployment/pull-backup.rst +++ b/docs/deployment/pull-backup.rst @@ -422,3 +422,61 @@ Parentheses are not needed when using a dedicated bash process. ``kill "${SSH_AGENT_PID}"`` Kill ssh-agent with loaded keys when it is not needed anymore. + +Remote forwarding +================= + +The ssh client allows to create tunnels to forward local ports to a remote server and also to allow remote ports to +be forwarded to local ports.borg + +This remote forwarding can be used to allow remote backup clients to access the backup server even if the backup server +usually cannot be reached by the backup client. + +This can even be used in cases where neither the backup server can reach the backup client and the backup client cannot +reach the backup server, but some intermediate host can access both. + +A schematic approach is as follows + +:: + + Backup Server (backup@mybackup) Intermediate Machine (john@myinter) Backup Client (bob@myclient) + + 1. Establish SSH remote forwarding -----------> SSH listen on local port + + 2. Starting borg create establishes + 3. SSH forwards to intermediate machine <------- SSH connection to the local port + 4. Receives backup connection <------- and further on to backup server + via SSH + +So for the backup client the backup is done via SSH to a local port and for the backup server there is a normal backup +performed via ssh. + +In order to achieve this, the following commands can be used to create the remote port forwarding: + +1. On machine `myinter` + +``ssh bob@myclient -v -C -R 8022:myclient:22 -N`` + +This will listen for ssh-connections on port `8022` on `myclient`. + +2. On machine `myclient` + +``borg create -v --progress --stats ssh://backup@localhost:8022/home/backup/repos/dogado /`` + +Make sure to use port `8022` and `localhost` for the repository as this instructs borg on `myclient` to use the +remote forwarded ssh connection. + +SSH Keys +~~~~~~~~ + +If you want to automate backups when using this method, the ssh `known_hosts` and `authorized_keys` need to be set up +to allow connections. + +Security Considerations +~~~~~~~~~~~~~~~~~~~~~~~ + +Opening up SSH access this way can pose a security risk as it effectively opens remote access to your +backup server on the client even if it is located outside of your company network. + +All the additional security considerations for borg should be applied, see :ref:`central-backup-server` for some additional +hints. From 8fab4e4152f1f410c966a2a6d7cca336b2305fbb Mon Sep 17 00:00:00 2001 From: Dominik Stadler Date: Sun, 2 Apr 2023 11:03:32 +0200 Subject: [PATCH 2/5] Fix command and add more notes --- docs/deployment/pull-backup.rst | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/deployment/pull-backup.rst b/docs/deployment/pull-backup.rst index bceb37ba8..607e29224 100644 --- a/docs/deployment/pull-backup.rst +++ b/docs/deployment/pull-backup.rst @@ -455,9 +455,12 @@ In order to achieve this, the following commands can be used to create the remot 1. On machine `myinter` -``ssh bob@myclient -v -C -R 8022:myclient:22 -N`` +``ssh bob@myclient -v -C -R 8022:mybackup:22 -N`` -This will listen for ssh-connections on port `8022` on `myclient`. +This will listen for ssh-connections on port `8022` on `myclient` and forward connections to port 22 on `mybackup`. + +You can also remove the need for machine `myinter` and create the port forwarding on the backup server directly by +using `localhost` instead of `mybackup` 2. On machine `myclient` From 6ab281875ea2a0e6650ed083bbbd9c5fe0adc61b Mon Sep 17 00:00:00 2001 From: Dominik Stadler Date: Sun, 2 Apr 2023 11:05:31 +0200 Subject: [PATCH 3/5] Adjust repository path --- docs/deployment/pull-backup.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/deployment/pull-backup.rst b/docs/deployment/pull-backup.rst index 607e29224..a84b9b3a9 100644 --- a/docs/deployment/pull-backup.rst +++ b/docs/deployment/pull-backup.rst @@ -464,7 +464,7 @@ using `localhost` instead of `mybackup` 2. On machine `myclient` -``borg create -v --progress --stats ssh://backup@localhost:8022/home/backup/repos/dogado /`` +``borg create -v --progress --stats ssh://backup@localhost:8022/home/backup/repos/myclient /`` Make sure to use port `8022` and `localhost` for the repository as this instructs borg on `myclient` to use the remote forwarded ssh connection. From d2ff0a3aabacdbbe6993bca9ffaa02ecf3c1447f Mon Sep 17 00:00:00 2001 From: Dominik Stadler Date: Sun, 2 Apr 2023 11:15:21 +0200 Subject: [PATCH 4/5] Adjust description some more, use back-quotes properly, add some links --- docs/deployment/pull-backup.rst | 30 +++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/docs/deployment/pull-backup.rst b/docs/deployment/pull-backup.rst index a84b9b3a9..7ca0cde03 100644 --- a/docs/deployment/pull-backup.rst +++ b/docs/deployment/pull-backup.rst @@ -426,11 +426,11 @@ Parentheses are not needed when using a dedicated bash process. Remote forwarding ================= -The ssh client allows to create tunnels to forward local ports to a remote server and also to allow remote ports to -be forwarded to local ports.borg +The standard ssh client allows to create tunnels to forward local ports to a remote server (local forwarding) and also +to allow remote ports to be forwarded to local ports (remote forwarding). This remote forwarding can be used to allow remote backup clients to access the backup server even if the backup server -usually cannot be reached by the backup client. +cannot be reached by the backup client. This can even be used in cases where neither the backup server can reach the backup client and the backup client cannot reach the backup server, but some intermediate host can access both. @@ -443,7 +443,7 @@ A schematic approach is as follows 1. Establish SSH remote forwarding -----------> SSH listen on local port - 2. Starting borg create establishes + 2. Starting ``borg create`` establishes 3. SSH forwards to intermediate machine <------- SSH connection to the local port 4. Receives backup connection <------- and further on to backup server via SSH @@ -453,26 +453,26 @@ performed via ssh. In order to achieve this, the following commands can be used to create the remote port forwarding: -1. On machine `myinter` +1. On machine ``myinter`` ``ssh bob@myclient -v -C -R 8022:mybackup:22 -N`` -This will listen for ssh-connections on port `8022` on `myclient` and forward connections to port 22 on `mybackup`. +This will listen for ssh-connections on port ``8022`` on ``myclient`` and forward connections to port 22 on ``mybackup``. -You can also remove the need for machine `myinter` and create the port forwarding on the backup server directly by -using `localhost` instead of `mybackup` +You can also remove the need for machine ``myinter`` and create the port forwarding on the backup server directly by +using ``localhost`` instead of ``mybackup`` -2. On machine `myclient` +2. On machine ``myclient`` ``borg create -v --progress --stats ssh://backup@localhost:8022/home/backup/repos/myclient /`` -Make sure to use port `8022` and `localhost` for the repository as this instructs borg on `myclient` to use the +Make sure to use port ``8022`` and ``localhost`` for the repository as this instructs borg on ``myclient`` to use the remote forwarded ssh connection. SSH Keys ~~~~~~~~ -If you want to automate backups when using this method, the ssh `known_hosts` and `authorized_keys` need to be set up +If you want to automate backups when using this method, the ssh ``known_hosts`` and ``authorized_keys`` need to be set up to allow connections. Security Considerations @@ -483,3 +483,11 @@ backup server on the client even if it is located outside of your company networ All the additional security considerations for borg should be applied, see :ref:`central-backup-server` for some additional hints. + +More information +~~~~~~~~~~~~~~~~ + +See `remote forwarding`_ and the `ssh man page`_ for more information about remote forwarding. + + .. _remote forwarding: https://linuxize.com/post/how-to-setup-ssh-tunneling/ + .. _ssh man page: https://manpages.debian.org/testing/manpages-de/ssh.1.de.html From 753419d506c26782e567efd03c39ed21ac048dc1 Mon Sep 17 00:00:00 2001 From: Dominik Stadler Date: Sun, 2 Apr 2023 22:58:37 +0200 Subject: [PATCH 5/5] Suggest to use forced command when using remote-fowarding via ssh --- docs/deployment/pull-backup.rst | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/deployment/pull-backup.rst b/docs/deployment/pull-backup.rst index 7ca0cde03..a29ee8188 100644 --- a/docs/deployment/pull-backup.rst +++ b/docs/deployment/pull-backup.rst @@ -481,6 +481,17 @@ Security Considerations Opening up SSH access this way can pose a security risk as it effectively opens remote access to your backup server on the client even if it is located outside of your company network. +To reduce the chances of compromise, you should configure a forced command in ``authorized_keys`` to prevent +anyone from performing any other action on the backup server. + +This can be done e.g. by adding the following in ``$HOME/.ssh/authorized_keys`` on ``mybackup`` with proper +path and client-fqdn: + +:: + + command="cd /home/backup/repos/;borg serve --restrict-to-path /home/backup/repos/" + + All the additional security considerations for borg should be applied, see :ref:`central-backup-server` for some additional hints.