BSDHowTo.ch
| How To... | Why not..? | Scripts | Patches | |
Last update: 2023-10-30
In this article I describe how to setup rsnapshot in a way that it uses a dedicated user account. I will use some of the possibilities that OpenSSH offers to tighten the security on the account as much as possible. But still allow rsnapshot to backup all the files on all the target hosts.
The environment I describe in this article consists of the following systems:
| Name | Role | Description |
|---|---|---|
| backup | Backup server | This system executes and stores the backups |
| target | Target system | This system is backed up on a regular basis |
You have to make sure that the needed packages are installed on each system for this to work:
backup$ doas pkg_add rsnapshot
target$ doas pkg_add rsync
First you need to create an user account for your dedicated backup user. I recommend that you set the UID manually to make sure it is the same on all the targets and the backup server. You must not assign a password to this account as it will only be allowed to use SSH keys for login.
$ doas useradd -m -u 190381 backup
Next, you must create a new SSH keypair for the user:
$ doas -u backup -s
$ cd
$ ssh-keygen -t ed25519
You must create this keypair with no passphrase at all or rsnapshot will fail to use it. Now it is time to adjust the permissions on the directory which will hold the backup files.
$ doas chgrp backup /var/rsnapshot
$ doas chmod 0770 /var/rsnapshot
Finally there are two settings in /etc/rsnapshot.conf which need to be
tuned in order for this to work. Uncomment the line starting
#rsync_long_args and add the --rsync-path parameter to it:
rsync_long_args --rsync-path="doas rsync" --delete --numeric-ids --relative --delete-excluded
With this parameter rsnapshot will run the remote rsync on the targets using doas(1). This is necessary if you plan to back up files only readable by root.
The second option makes sure SSH ignores any authentication means beside the private key of the user backup. Just in case you run rsnapshot manually on the backup server:
ssh_args -o IdentitiesOnly=yes -i /home/backup/.ssh/id_ed25519
A potential retain and backup target configuration part in the config
file /etc/rsnapshot.conf might look like this:
retain daily 7
retain weekly 4
retain monthly 6
backup backup@target1.example.com:/etc/ target1/
backup backup@target1.example.com:/home/ target1/
backup backup@target1.example.com:/var/ target1/
backup backup@target2.example.com:/etc/ target2/
backup backup@target2.example.com:/home/ target2/
backup backup@target2.example.com:/var/ target2/
First create the local backup user, if possible with the same UID as on the backup server:
$ doas useradd -m -u 190381 backup
Copy over the public key of the user backup you’ve created on the backup
server and add it to .ssh/authorized_keys. Then add the restrictions
to it. The file should look like this:
command="/home/backup/bin/backup.sh",restrict ssh-ed25519 AAAAC4OabD2mAEJ2OUF6AAAAJHTGROoBU4sImVMBxcnN2UI87tAVvq052+L4R5Hqzbjt backup@backup.example.com
The script bin/backup.sh gets called every time the user backup logs
in using that matching private key. It controls whether the command
passed along with login will be executed or not. In this case we want to
make sure the key is only used to execute the command doas rsync:
#!/bin/sh
[[ "$SSH_ORIGINAL_COMMAND" == doas\ rsync\ * ]] || exit 1
exec $SSH_ORIGINAL_COMMAND
Now you must add a line to doas.conf(5) which permits the user backup to execute rsync without prompting for the users password:
permit nopass backup cmd rsync
Back on the backup server you can check if everything works by manually starting the first backup:
$ doas -u backup rsnapshot daily
If this runs through without any output everything works as expected. Use cron(8) to schedule the backups:
$ doas -u backup crontab -e
#min hour mday month wday command
0 0 1 * * /usr/local/bin/rsnapshot monthly
0 0 2-31 * 1-6 /usr/local/bin/rsnapshot daily
0 0 * * 7 /usr/local/bin/rsnapshot weekly
If something goes wrong with a backup command cron will send the output to the user backup on the backup server. So you want to make sure you get these mails.