March 26, 2011 Leave a Comment
I recently spent some time pushing backups from our production machine to a backup-collection machine. I wanted the backup push automated and I wanted servers to be able to easily push backups to my backup-collection machine (which also has some other roles).
I decided to use scponly with a chroot jail, that way I can collect all backups under a single tree in my collection machine, and I can give each pusher a different, and limited view of their own files through the jail. See Problems with this solution at the bottom to see what I’ll be doing next time I get to iterate on this.
Here were my steps, and other considered options at the end:
Setting up scponly on debian
For debian users in squeeze there are two flavors of scponly, the normal and the scponly-full package. If you want to also allow rsync backups (which I did) you should choose the scponly-full, which copies a few more binaries into the chroot jail. Otherwise stick with scponly.
apt-get install scponly-full -- enable scponlyc if you didn't during initial install dpkg-reconfigure -plow scponly-full cd /usr/share/doc/scponly-full/setup_chroot gunzip setup_chroot.sh.gz chmod +x setup_chroot.sh ./setup_chroot.sh -- the rest of the post assumes you pick the default username and location -- If you stopped here, and tried to scp, you'd run into problems with Unknown User ID being returned -- whenever you tried to scp. This is because you're missing some libraries that still need to be copied. -- Below is the hammer I used to solve that problem, details from here, thanks nuno. cp /lib/libnss_files* /home/scponly/lib cd /home/scponly/ mv lib64/* lib && rmdir lib64 && ln -s lib lib64 -- At this point you can use SCP with password if you have that set up. I use keys so I also did the following. mkdir .ssh touch .ssh/authorized_keys chown -R root:scponly .ssh chmod 750 .ssh chmod 640 .ssh/authorized_keys cat >> .ssh/authorized_keys <key>
At this point you should be able to execute:
scp localfile scponly@server:incoming
without using passwords.
Using rsync with scponly
There is a widely posted problem with scponly and rsync, since rsync is trying to pass -e and scponly has an issue with the getopts call. I found here that a workaround is to change the rsync version (or perhaps grab a newer version of the package). So for example this is the minimal rsync command template:
rsync -e 'ssh -p <non-standard-ssh-port>' --protocol=29 <local-files> scponly@server:incoming
Note that I pass a non-standard port to rsync by quoting the ssh command, I drop the protocol with –protocol , and I am sure to specify incoming (or whatever directory you set up in the chroot setup).
You can change the scponly debugging level, which will have it return debug output to your remote command. This helped me confirm I was seeing the same parameter parsing problem as others. Default is 0.
cat > /etc/scponly/debuglevel 2
I looked into using sftp-internal directly in the sshd, but I wasn’t satisfied with the sftp cli and I had scponly working by then. If I hadn’t gotten scponly to work, then I probably would have done something more elegant, perhaps described in these other resources:
Problems with this solution
One of the major problems with this solution is that I’ve got to track any security updates manually to my chroot. In the Other options section there are ssh-jail mechanisms that avoid this issue.