26 lines
757 B
Markdown
26 lines
757 B
Markdown
# intermediate backup agent
|
|
|
|
* Server "sends" the backup to the backup jail
|
|
* The backup jail is ipv6 only, mostly empty, and uses an hardened ssh configuration
|
|
* the receive script immediatly reconnects to the system actually receiving the backup
|
|
|
|
# Setup jail sshd
|
|
|
|
Add the following to the sshd of the jail. To maximise security ssh certificates are used (but you can do without ymmv)
|
|
|
|
|
|
```
|
|
AcceptEnv LANG LC_*
|
|
ChallengeResponseAuthentication no
|
|
PasswordAuthentication no
|
|
PrintMotd no
|
|
RevokedKeys /etc/ssh/ssh_revoked_keys
|
|
Subsystem sftp /usr/libexec/sftp-server
|
|
TrustedUserCAKeys /etc/ssh/backup-ca.pub
|
|
UsePAM no
|
|
X11Forwarding yes
|
|
Match User root Address 2a02:898::96:1
|
|
ForceCommand /root/zfs-receive.sh
|
|
PermitRootLogin forced-commands-only
|
|
```
|