diff --git a/doc/xml/release.xml b/doc/xml/release.xml index b61c14ff4..22cfc4a8d 100644 --- a/doc/xml/release.xml +++ b/doc/xml/release.xml @@ -126,6 +126,15 @@ + + + + + + +

Use command in authorized_hosts to improve SSH security.

+ + @@ -2096,7 +2105,7 @@ -

Add trusted SSH configuration.

+

Add passwordless SSH configuration.

 diff --git a/doc/xml/user-guide.xml b/doc/xml/user-guide.xml index d62a0b2ec..3fea783f3 100644 --- a/doc/xml/user-guide.xml +++ b/doc/xml/user-guide.xml @@ -42,6 +42,7 @@ /var/lib/pgbackrest aes-256-cbc zWaf6XtpjIVZC5444yXB+cgFDFl7MxGlgkZSaoPvTGirhPygu4jOKOXf9LO4vjfO + {[perl-bin-path]}/pgbackrest pgbackrest {[br-user]} /home/{[br-user]} @@ -240,7 +241,7 @@ -

requires trusted (no password) SSH to enable communication between the hosts.

+

requires passwordless SSH to enable communication between the hosts.

 @@ -261,18 +262,26 @@ Copy <host>{[setup-ssh-host]}</host> public key to <host>{[host-repo1]}</host> - - ssh root@{[setup-ssh-host]} cat {[setup-ssh-user-home-path]}/.ssh/id_rsa.pub | - sudo -u pgbackrest tee -a {[br-home-path]}/.ssh/authorized_keys + + + (echo -n 'no-agent-forwarding,no-X11-forwarding,no-port-forwarding,' && + echo -n 'command="{[br-bin]} ${SSH_ORIGINAL_COMMAND#* }" ' && + sudo ssh root@{[setup-ssh-host]} cat {[setup-ssh-user-home-path]}/.ssh/id_rsa.pub) | + sudo -u pgbackrest tee -a {[br-home-path]}/.ssh/authorized_keys + Copy <host>{[host-repo1]}</host> public key to <host>{[setup-ssh-host]}</host> - - ssh root@{[host-repo1]} cat {[br-home-path]}/.ssh/id_rsa.pub | - sudo -u {[setup-ssh-user]} tee -a {[setup-ssh-user-home-path]}/.ssh/authorized_keys + + + (echo -n 'no-agent-forwarding,no-X11-forwarding,no-port-forwarding,' && + echo -n 'command="{[br-bin]} ${SSH_ORIGINAL_COMMAND#* }" ' && + sudo ssh root@{[host-repo1]} cat {[br-home-path]}/.ssh/id_rsa.pub) | + sudo -u {[setup-ssh-user]} tee -a {[setup-ssh-user-home-path]}/.ssh/authorized_keys + @@ -283,7 +292,7 @@ ssh {[setup-ssh-user]}@{[setup-ssh-host]} - -o StrictHostKeyChecking=no ls + -o StrictHostKeyChecking=no @@ -292,7 +301,7 @@ ssh pgbackrest@{[host-repo1]} - -o StrictHostKeyChecking=no ls + -o StrictHostKeyChecking=no @@ -1987,7 +1996,7 @@
- Setup Trusted SSH + Setup Passwordless SSH bogus !!! @@ -2011,6 +2020,8 @@ {[pg-home-path]} +

Note that ssh has been configured to only allow to be run via passwordless ssh. This enhances security in the event that one of the service accounts is hijacked.

+
- Setup Trusted SSH + Setup Passwordless SSH bogus !!!