# intermediate backup agent

* Server "sends" the backup to the backup jail
* The backup jail is ipv6 only, mostly empty, and uses an hardened ssh configuration
* the receive script immediatly reconnects to the system actually receiving the backup

# Setup jail sshd

Add the following to the sshd of the jail. To maximise security ssh certificates are used (but you can do without ymmv)


```
AcceptEnv LANG LC_*
ChallengeResponseAuthentication no
PasswordAuthentication no
PrintMotd no
RevokedKeys /etc/ssh/ssh_revoked_keys
Subsystem sftp /usr/libexec/sftp-server
TrustedUserCAKeys /etc/ssh/backup-ca.pub
UsePAM no
X11Forwarding yes
Match User root Address 2a02:898::96:1
    ForceCommand /root/zfs-receive.sh
    PermitRootLogin forced-commands-only
```