Managing ssh keys for root systemd processes

lucianh · 2023-12-01 15:23:52

Hi,

I want to setup a backup process using Borg that connects to a remote NAS. Borg uses ssh to connect to the remote machine, which means I'm going to need some sort of passwordless ssh access if I want this to run on a schedule in the background. I'm reluctant to give root an ssh key to my NAS that has no passphrase, so that leaves me looking for some sort of ssh-agent-type solution. Ideally (I think) I want something that prompts me for the passphrase for this key when I login as my normal user, and somehow loads this into an ssh-agent that the systemd unit can access, but it's not clear to me how I can achieve this.

Any pointers?

Thanks!

seth · 2023-12-01 17:51:53

start ssh-agent as root w/ a well-defined SSH_AUTH_SOCK (-a) and import/add the environment to the borg service.
Then, when logging in, "sudo env SSH_AUTH_SOCK=… ssh-add …" the key to that agent.

A pitfall might be that the borg by this time may already have tried to assimilate your NAS, failed the ssh authentication and surrendered to the dominion. Or something like that.
IOW, adding the key this way might be toolate™ if you auto-start the borg service, so your regular-ass user login might have to do both, first add the key, then start the borg service.

Strike0 · 2023-12-01 18:25:28

Borg's default ssh example uses ssh via fuse, i.e. if you only want to backup /home/user there is no need for root and you can run a systemd-user unit to automate the backup sometime after you login.
Another option is you restrict the ssh destination on your NAS to the backup path, for example by setting up a restricted user to ssh to. There is also a scponly jail option.

Arch Linux

#1 2023-12-01 15:23:52

Managing ssh keys for root systemd processes

#2 2023-12-01 17:51:53

Re: Managing ssh keys for root systemd processes

#3 2023-12-01 18:25:28

Re: Managing ssh keys for root systemd processes

Board footer