Halaman utama Jelajahi Bantuan
Masuk
mirrors
/
borg
cermin dari https://github.com/borgbackup/borg
2
0
Fork 0
Berkas Masalah 0 Wiki
Pohon: 9e6d90754e
Ranting Tag
borg
/
docs
/
deployment
/
hosting-repositories.rst

hosting-repositories.rst 2.5 KB
Riwayat Mentahan

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960 
  1. .. include:: ../global.rst.inc
    2. 

  2. .. highlight:: none
    3. 

  3. .. _hosting_repositories:
    4. 

  4. 

  5. Hosting repositories
    6. 

  6. ====================
    7. 

  7. 

  8. This sections shows how to provide repository storage securely for users.
    9. 

  9. 

  10. Repositories are accessed through SSH. Each user of the service should
    11. 

  11. have her own login which is only able to access the user's files.
    12. 

  12. Technically it would be possible to have multiple users share one login,
    13. 

  13. however, separating them is better. Separate logins increase isolation
    14. 

  14. and are thus an additional layer of security and safety for both the
    15. 

  15. provider and the users.
    16. 

  16. 

  17. For example, if a user manages to breach ``borg serve`` then she can
    18. 

  18. only damage her own data (assuming that the system does not have further
    19. 

  19. vulnerabilities).
    20. 

  20. 

  21. Use the standard directory structure of the operating system. Each user
    22. 

  22. is assigned a home directory and repositories of the user reside in her
    23. 

  23. home directory.
    24. 

  24. 

  25. The following ``~user/.ssh/authorized_keys`` file is the most important
    26. 

  26. piece for a correct deployment. It allows the user to log in via
    27. 

  27. their public key (which must be provided by the user), and restricts
    28. 

  28. SSH access to safe operations only.
    29. 

  29. 

  30. ::
    31. 

  31. 

  32.   command="borg serve --restrict-to-repository /home/<user>/repository",restrict
    33. 

  33.   <key type> <key> <key host>
    34. 

  34. 

  35. .. note:: The text shown above needs to be written on a **single** line!
    36. 

  36. 

  37. .. warning::
    38. 

  38. 

  39.     If this file should be automatically updated (e.g. by a web console),
    40. 

  40.     pay **utmost attention** to sanitizing user input. Strip all whitespace
    41. 

  41.     around the user-supplied key, ensure that it **only** contains ASCII
    42. 

  42.     with no control characters and that it consists of three parts separated
    43. 

  43.     by a single space. Ensure that no newlines are contained within the key.
    44. 

  44. 

  45. The ``restrict`` keyword enables all restrictions, i.e. disables port, agent
    46. 

  46. and X11 forwarding, as well as disabling PTY allocation and execution of ~/.ssh/rc.
    47. 

  47. If any future restriction capabilities are added to authorized_keys
    48. 

  48. files they will be included in this set.
    49. 

  49. 

  50. The ``command`` keyword forces execution of the specified command line
    51. 

  51. upon login. This must be ``borg serve``. The ``--restrict-to-repository``
    52. 

  52. option permits access to exactly **one** repository. It can be given
    53. 

  53. multiple times to permit access to more than one repository.
    54. 

  54. 

  55. The repository may not exist yet; it can be initialized by the user,
    56. 

  56. which allows for encryption.
    57. 

  57. 

  58. Refer to the `sshd(8) <https://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/sshd.8>`_
    59. 

  59. man page for more details on SSH options.
    60. 

  60. See also :ref:`borg_serve`
    61.