Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
How to secure the SSH server so that the SSH user can only do backups? #879
I already use backintime for my personal backups, on a self-hosted (debian) server through SSH.
I would create a SSH user for each person, and use encrypted SSH option (so that I'm not able to read the backups of other persons. Hopefully #644 and gocryptfs might further improve that in the future).
My concern is that, if the computers of these persons get compromised (or if they simply have bad intentions), they have a SSH access to my server. Even if it's a non-root access, it still allows to do a lot of nasty things (on the server itself and/or on the local network). I would like to mitigate that risk.
I've tested a few technical possibilities, without much success for now :
I finally implemented such a Docker container, and wrote a blog article with all the details (in French) : https://blog.mossroy.fr/2019/02/28/sauvegardes-via-internet-automatisees-et-auto-hebergees-avec-backintime-et-docker/
Another advantage of this approach is that you can create one container instance for each user, giving access only to his own backup data. If one container is compromised, it should not affect the other ones.