verweg-zfs-backup/jail/README.md

# intermediate backup agent

* Server "sends" the backup to the backup jail
* The backup jail is ipv6 only, mostly empty, and uses an hardened ssh configuration
* the receive script immediatly reconnects to the system actually receiving the backup

# Setup jail sshd

Add the following to the sshd of the jail. To maximise security ssh certificates are used (but you can do without ymmv)


```
AcceptEnv LANG LC_*
ChallengeResponseAuthentication no
PasswordAuthentication no
PrintMotd no
RevokedKeys /etc/ssh/ssh_revoked_keys
Subsystem sftp /usr/libexec/sftp-server
TrustedUserCAKeys /etc/ssh/backup-ca.pub
UsePAM no
X11Forwarding yes
Match User root Address 2a02:898::96:1
    ForceCommand /root/zfs-receive.sh
    PermitRootLogin forced-commands-only
```
Store backup scripts 2024-03-19 11:33:12 +01:00			`# intermediate backup agent`

			`* Server "sends" the backup to the backup jail`
			`* The backup jail is ipv6 only, mostly empty, and uses an hardened ssh configuration`
			`* the receive script immediatly reconnects to the system actually receiving the backup`

			`# Setup jail sshd`

			`Add the following to the sshd of the jail. To maximise security ssh certificates are used (but you can do without ymmv)`


			```
			`AcceptEnv LANG LC_*`
			`ChallengeResponseAuthentication no`
			`PasswordAuthentication no`
			`PrintMotd no`
			`RevokedKeys /etc/ssh/ssh_revoked_keys`
			`Subsystem sftp /usr/libexec/sftp-server`
			`TrustedUserCAKeys /etc/ssh/backup-ca.pub`
			`UsePAM no`
			`X11Forwarding yes`
			`Match User root Address 2a02:898::96:1`
			`ForceCommand /root/zfs-receive.sh`
			`PermitRootLogin forced-commands-only`
			```