I run a (passwordless) restic backup using SFTP. I would now like to restrict the allowed command on the server side (in authorized_keys) to exactly this purpose. Perhaps someone can help me with what exactly I need to enter in authorized_keys for this?
While I’m afraid I can’t answer your question directly, I want to suggest taking a look at rest-server, which allows you to create a backup-only connection and, additionally, sports an “append-only” mode in which your client can only add and read data but not delete anything. Also, you could have multiple restic repos with multiple users behind it.
you want to start a backup on a target SSH server with a restic installed on it (which, incidentally, can use any kind of repository)
you want to use a locally installed restic to backup files to a repository via SFTP on a remote SSH server
In the first case, you do need the whole restic command line in the authorised_keys file like mentioned by @nicnab.
But in the second case, you need to restrict SSH access to the SFTP subsystem only: in which case, you need something like that (don’t mind the Linux distribution, the important part is the sshd_config)
Sorry, I expressed myself in a misleading way. It’s the second case. I would like to limit the passwordless login on the remote server (where the backup is stored via SFTP) for this special purpose. I thought it should be possible by specifying a command=“…” in the authorized_keys file on this remote server. But it seems that this is not possible?
In such case you do not need any command= restrictions as you do not want to run any command remotely.
What you need is to configure a user with SFTP access only and confined to restic repo directory only. You will find tones of examples on Google, e.g.:
@kapitainsky link is the answer to your question @beedaddy .
Restic does not require or use server-side commands over ssh.
You can probably also use a restricted ssh shell and use sshfs with fuse and have restic target “local” filesystem, but I would first try what @kapitainsky has linked.