Borg: Are there some recommended restrictions to be applied to ssh public keys on borg servers?

Created on 12 Feb 2020  ·  2Comments  ·  Source: borgbackup/borg

A number of server utilities which use SSH apply to some restrictions to the ssh public keys of clients. Gitolite for instances uses command="/usr/bin/gitolite/src/gitolite-shell username",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty.

Do you have some similar recommendations for borg, on both server and client?

Are there some general server hardening guides for borg servers?

picture vonHabsi

Most helpful comment

Look at the docs
here https://borgbackup.readthedocs.io/en/stable/usage/serve.html
and here https://borgbackup.readthedocs.io/en/stable/deployment/hosting-repositories.html

picture infectormp on 12 Feb 2020
👍2

All 2 comments

Look at the docs
here https://borgbackup.readthedocs.io/en/stable/usage/serve.html
and here https://borgbackup.readthedocs.io/en/stable/deployment/hosting-repositories.html

infectormp picture infectormp on 12 Feb 2020
👍2

The docs linked above recommend "restrict", which is easy to overlook. It includes all of the above restrictions (and any added in the future).

restrict
Enable all restrictions, i.e. disable port, agent and X11 forwarding, as well as disabling PTY allocation and exe‐
cution of ~/.ssh/rc. If any future restriction capabilities are added to authorized_keys files they will be in‐
cluded in this set.

enkore picture enkore on 13 Feb 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

qknight picture qknight  ·  6Comments
enkore picture enkore  ·  5Comments
rugk picture rugk  ·  3Comments
ThomasWaldmann picture ThomasWaldmann  ·  6Comments
zatricky picture zatricky  ·  3Comments