[Borgbackup] Borg-Backup failed with Command in authorized_keys behind a ssh-tunnel?

Benjamin Knoth knoth at mpdl.mpg.de
Tue Mar 21 06:39:28 EDT 2023 

Dear all,<https://serverfault.com/posts/1126241/timeline>

I setup a PoC for a pull backup with Borg Backup. In this example a 
client can only reach the backup server behind a proxy server. In this 
case the server where Borg Backup is running open a temporary ssh tunnel 
over a proxy server and start the pull backup on the client. After the 
backup is done, the ssh tunnel will closed. Everything runs in this 
scenario.

For more security I created for any action an own ssh-key. In 
authorized_keys I also start to add the command for every action. 
Without command restriction the Borg backup is running successful but 
with command restriction it fails every time with following message.

|Remote: ssh_exchange_identification: read: Connection reset by peer 
Connection closed by remote host. Is borg working on the server? |

I tried different commands on authorized_keys without success.

|# example from Borg website which works on a simple scenario where borg 
server and client can |||directly| reach the other. command="borg serve --append-only 
--restrict-to-repo ~/backup/",restrict ssh-... # to get the needed 
command, but no output command="/bin/echo You invoked: $ 
SSH_ORIGINAL_COMMAND",restrict ssh-... # and I also try to get the ssh 
command by a script, also without any record in log file 
command="/home/borg/logssh.sh",restrict ssh-.... |

|$ cat logssh.sh #!/bin/sh if [ -n "$SSH_ORIGINAL_COMMAND" ] then echo 
"`/bin/date`: $SSH_ORIGINAL_COMMAND" >> $HOME/ssh-command-log exec 
$SSH_ORIGINAL_COMMAND fi |

Without any restrictions to the key, the script can run the pull backup 
with Borg Backup successful, with command restriction it fails every time.

Is there any possible solution to allow only to run the Borg Backup for 
this key behind the ssh tunnel or what's the correct command in this 
solution?

Best regards
Benjamin

-- 
Benjamin Knoth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.python.org/pipermail/borgbackup/attachments/20230321/06c3bc71/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4845 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://mail.python.org/pipermail/borgbackup/attachments/20230321/06c3bc71/attachment.bin>

More information about the Borgbackup mailing list