scponly, debian, and collecting backups on remote server

I recently spent some time pushing backups from our production machine to a backup-collection machine. I wanted the backup push automated and I wanted servers to be able to easily push backups to my backup-collection machine (which also has some other roles).

I decided to use scponly with a chroot jail, that way I can collect all backups under a single tree in my collection machine, and I can give each pusher a different, and limited view of their own files through the jail. See Problems with this solution at the bottom to see what I’ll be doing next time I get to iterate on this.

Here were my steps, and other considered options at the end:

Setting up scponly on debian

For debian users in squeeze there are two flavors of scponly, the normal and the scponly-full package. If you want to also allow rsync backups (which I did) you should choose the scponly-full, which copies a few more binaries into the chroot jail. Otherwise stick with scponly.

apt-get install scponly-full
-- enable scponlyc if you didn't during initial install
dpkg-reconfigure -plow scponly-full
cd /usr/share/doc/scponly-full/setup_chroot
gunzip setup_chroot.sh.gz
chmod +x setup_chroot.sh
./setup_chroot.sh
-- the rest of the post assumes you pick the default username and location
-- If you stopped here, and tried to scp, you'd run into problems with Unknown User ID being returned
-- whenever you tried to scp. This is because you're missing some libraries that still need to be copied.
-- Below is the hammer I used to solve that problem, details from here, thanks nuno.
cp /lib/libnss_files* /home/scponly/lib
cd /home/scponly/
mv lib64/* lib && rmdir lib64 && ln -s lib lib64
-- At this point you can use SCP with password if you have that set up. I use keys so I also did the following.
mkdir .ssh
touch .ssh/authorized_keys
chown -R root:scponly .ssh
chmod 750 .ssh
chmod 640 .ssh/authorized_keys
cat >> .ssh/authorized_keys 
    <key>

At this point you should be able to execute:

scp localfile scponly@server:incoming

without using passwords.

Using rsync with scponly

There is a widely posted problem with scponly and rsync, since rsync is trying to pass -e and scponly has an issue with the getopts call. I found here that a workaround is to change the rsync version (or perhaps grab a newer version of the package). So for example this is the minimal rsync command template:

rsync -e 'ssh -p <non-standard-ssh-port>' --protocol=29 <local-files> scponly@server:incoming

Note that I pass a non-standard port to rsync by quoting the ssh command, I drop the protocol with –protocol , and I am sure to specify incoming (or whatever directory you set up in the chroot setup).

scponly debugging

You can change the scponly debugging level, which will have it return debug output to your remote command. This helped me confirm I was seeing the same parameter parsing problem as others. Default is 0.

cat > /etc/scponly/debuglevel
2

Other options

I looked into using sftp-internal directly in the sshd, but I wasn’t satisfied with the sftp cli and I had scponly working by then. If I hadn’t gotten scponly to work, then I probably would have done something more elegant, perhaps described in these other resources:

http://www.howtoforge.com/chrooted_ssh_howto_debian
http://ubuntuforums.org/showpost.php?p=9799756&postcount=5

Problems with this solution

One of the major problems with this solution is that I’ve got to track any security updates manually to my chroot. In the Other options section there are ssh-jail mechanisms that avoid this issue.

Post to Twitter Post to Digg Post to Facebook Send Gmail Post to LinkedIn Post to Reddit Post to StumbleUpon