Ssh restrict to backup command

I run a (passwordless) restic backup using SFTP. I would now like to restrict the allowed command on the server side (in authorized_keys) to exactly this purpose. Perhaps someone can help me with what exactly I need to enter in authorized_keys for this?

Thanks a lot,
Martin

While I’m afraid I can’t answer your question directly, I want to suggest taking a look at rest-server, which allows you to create a backup-only connection and, additionally, sports an “append-only” mode in which your client can only add and read data but not delete anything. Also, you could have multiple restic repos with multiple users behind it.

(Another bee daddy here btw :slight_smile:

1 Like

Thanks for your suggestion. Actually, I do use rest-server – for my private backup environment. But in this case, I can only use SFTP.

1 Like

FWIW maybe this helps? Looks easy but I’ve never done it.

1 Like

Yes, your link describes the mechanism. But I’m not sure what exactly the command=“…” should look like.

Well just try it out but for me it would be:

command="/usr/bin/restic",no-port-forwarding,no-x11-forwarding,no-agent-forwarding KEY_TYPE KEY COMMENT

You could, of course, also write a wrapper script for the whole restic backup command and use that:

command="/usr/local/bin/restic-backup.sh",no-port-forwarding,no-x11-forwarding,no-agent-forwarding KEY_TYPE KEY COMMENT

But as I said I never tried that so you’ll have to test or wait until someone comes by here who knows how to do this!

We can interpret the question in two ways:

  • you want to start a backup on a target SSH server with a restic installed on it (which, incidentally, can use any kind of repository)
  • you want to use a locally installed restic to backup files to a repository via SFTP on a remote SSH server

In the first case, you do need the whole restic command line in the authorised_keys file like mentioned by @nicnab.
But in the second case, you need to restrict SSH access to the SFTP subsystem only: in which case, you need something like that (don’t mind the Linux distribution, the important part is the sshd_config)

1 Like

Oooh, of course you are right, @creativeprojects ! Now I get it too :person_facepalming:

1 Like

Sorry, I expressed myself in a misleading way. It’s the second case. I would like to limit the passwordless login on the remote server (where the backup is stored via SFTP) for this special purpose. I thought it should be possible by specifying a command=“…” in the authorized_keys file on this remote server. But it seems that this is not possible?

In such case you do not need any command= restrictions as you do not want to run any command remotely.

What you need is to configure a user with SFTP access only and confined to restic repo directory only. You will find tones of examples on Google, e.g.:

This issue has nothing to do with restic itself.

4 Likes

@kapitainsky link is the answer to your question @beedaddy .
Restic does not require or use server-side commands over ssh.
You can probably also use a restricted ssh shell and use sshfs with fuse and have restic target “local” filesystem, but I would first try what @kapitainsky has linked.