diff --git a/docs/deployment/central-backup-server.rst b/docs/deployment/central-backup-server.rst index ee90326ec..26e718985 100644 --- a/docs/deployment/central-backup-server.rst +++ b/docs/deployment/central-backup-server.rst @@ -68,8 +68,7 @@ forced command and restrictions applied as shown below: command="cd /home/backup/repos/; borg serve --restrict-to-path /home/backup/repos/", - no-port-forwarding,no-X11-forwarding,no-pty, - no-agent-forwarding,no-user-rc + restrict .. note:: The text shown above needs to be written on a single line! @@ -147,7 +146,7 @@ package manager to install and keep borg up-to-date. - file: path="{{ pool }}" owner="{{ user }}" group="{{ group }}" mode=0700 state=directory - authorized_key: user="{{ user }}" key="{{ item.key }}" - key_options='command="cd {{ pool }}/{{ item.host }};borg serve --restrict-to-path {{ pool }}/{{ item.host }}",no-port-forwarding,no-X11-forwarding,no-pty,no-agent-forwarding,no-user-rc' + key_options='command="cd {{ pool }}/{{ item.host }};borg serve --restrict-to-path {{ pool }}/{{ item.host }}",restrict' with_items: "{{ auth_users }}" - file: path="{{ home }}/.ssh/authorized_keys" owner="{{ user }}" group="{{ group }}" mode=0600 state=file - file: path="{{ pool }}/{{ item.host }}" owner="{{ user }}" group="{{ group }}" mode=0700 state=directory @@ -198,11 +197,7 @@ Salt running on a Debian system. - source: salt://conf/ssh-pubkeys/{{host}}-backup.id_ecdsa.pub - options: - command="cd /home/backup/repos/{{host}}; borg serve --restrict-to-path /home/backup/repos/{{host}}" - - no-port-forwarding - - no-X11-forwarding - - no-pty - - no-agent-forwarding - - no-user-rc + - restrict {% endfor %} diff --git a/docs/deployment/hosting-repositories.rst b/docs/deployment/hosting-repositories.rst index ae9a4e1ee..6e3161ee5 100644 --- a/docs/deployment/hosting-repositories.rst +++ b/docs/deployment/hosting-repositories.rst @@ -29,7 +29,7 @@ SSH access to safe operations only. :: - restrict,command="borg serve --restrict-to-repository /home//repository" + command="borg serve --restrict-to-repository /home//repository",restrict .. note:: The text shown above needs to be written on a **single** line! diff --git a/docs/quickstart.rst b/docs/quickstart.rst index 43d62fc9a..d816fea00 100644 --- a/docs/quickstart.rst +++ b/docs/quickstart.rst @@ -277,7 +277,7 @@ use of the SSH keypair by prepending a forced command to the SSH public key in the remote server's `authorized_keys` file. This example will start |project_name| in server mode and limit it to a specific filesystem path:: - command="borg serve --restrict-to-path /path/to/repo",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc ssh-rsa AAAAB3[...] + command="borg serve --restrict-to-path /path/to/repo",restrict ssh-rsa AAAAB3[...] If it is not possible to install |project_name| on the remote host, it is still possible to use the remote host to store a repository by diff --git a/docs/usage/serve.rst b/docs/usage/serve.rst index ebc5626e6..ae18205af 100644 --- a/docs/usage/serve.rst +++ b/docs/usage/serve.rst @@ -23,9 +23,19 @@ locations like ``/etc/environment`` or in the forced command itself (example bel # Use key options to disable unneeded and potentially dangerous SSH functionality. # This will help to secure an automated remote backup system. $ cat ~/.ssh/authorized_keys - command="borg serve --restrict-to-path /path/to/repo",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc ssh-rsa AAAAB3[...] + command="borg serve --restrict-to-path /path/to/repo",restrict ssh-rsa AAAAB3[...] # Set a BORG_XXX environment variable on the "borg serve" side $ cat ~/.ssh/authorized_keys command="export BORG_XXX=value; borg serve [...]",restrict ssh-rsa [...] +.. note:: + The examples above use the ``restrict`` directive. This does automatically + block potential dangerous ssh features, even when they are added in a future + update. Thus, this option should be prefered. + + If you're using openssh-server < 7.2, however, you have to explicitly specify + the ssh features to restrict and cannot simply use the restrict option as it + has been introduced in v7.2. We recommend to use + ``no-port-forwarding,no-X11-forwarding,no-pty,no-agent-forwarding,no-user-rc`` + in this case.