Should I create a separate user for a backup script that uses a passphrase-less ssh key?

3

I currently have a back-up script running via cron. It basically is a few rsync commands stringed together.

For my main shell logins I have ssh keys with passphrases, but because of the automated nature of the script, it uses a key without a passphrase. As I understand it, anyone that gets access to this passphrase-less key would have the same amount of access priviledges as myself logging in via my key with passphrase.

So should I create a new user, that only runs the script? If so, is it possible to restrict this user to only cron jobs or certain commands?

blndcat

Posted 2012-06-17T16:28:56.020

Reputation: 33

Answers

1

You can restrict what can be done with a specific SSH key, so if you can restrict the key to the bare minimum it should be fairly safe to use the same user. The safest option is to implement both options however ;-)

The sshd manpage has the details, but the following line in ~/.ssh/authorized_keys would only allow the specified command to be executed, and disallow other operations like port forwarding. It also restricts access to clients from a specific IP subnet.

command="/usr/local/bin/dobackup",from="1.2.3.0/24",no-pty,no-port-forwarding,no-agent-forwarding,no-X11-forwarding ssh-rsa AAAA...== alice@example.com

mgorven

Posted 2012-06-17T16:28:56.020

Reputation: 2 539

Thanks, that's great, exactly what I was looking for. It's a surprise that it isn't often mentioned in ssh key set-up guides especially for passphrase-less automated tasks. – blndcat – 2012-06-18T06:03:14.533

Asked: 2012-06-17T16:28:56.020

Viewed: 115 times

Active: 2012-06-18T04:39:07.617