From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-127115-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1QuSed-0007FM-NC
	for garchives@archives.gentoo.org; Fri, 19 Aug 2011 17:14:48 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id DE69C21C0F4;
	Fri, 19 Aug 2011 17:14:30 +0000 (UTC)
Received: from mail-ey0-f171.google.com (mail-ey0-f171.google.com [209.85.215.171])
	by pigeon.gentoo.org (Postfix) with ESMTP id C428C21C054
	for <gentoo-user@lists.gentoo.org>; Fri, 19 Aug 2011 17:13:24 +0000 (UTC)
Received: by eyg24 with SMTP id 24so1583421eyg.16
        for <gentoo-user@lists.gentoo.org>; Fri, 19 Aug 2011 10:13:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type:content-transfer-encoding;
        bh=iZjlDrIKa9ePxcQixGy3tsoIZSlfk+etruoc+zBO3Hg=;
        b=DK2My4pmWGkRYzXrriYCaeppTar72MGiVVJm5/5NeKnPqq+tm5pU6SvJ9Ir2kmYXUk
         +8camzKrxXWfS9VVUUt6SXizc5fKjx0eA/NJqEefK9vbN4nPJEal+9zcxx19NiGBUhyU
         GdIqpcgdD99c3p4W8PxKJTkZkoiCBkYJmURkk=
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.14.146.15 with SMTP id q15mr908774eej.172.1313774003890; Fri,
 19 Aug 2011 10:13:23 -0700 (PDT)
Received: by 10.14.100.140 with HTTP; Fri, 19 Aug 2011 10:13:23 -0700 (PDT)
In-Reply-To: <2884642.1cRRdxvC51@eve>
References: <CAN0CFw3OreQZtLVy45A_b-dZp8j8Yw1Lbvb_dyNc341fByuynA@mail.gmail.com>
	<24789713.e3lGWgN6L7@eve>
	<CAN0CFw0Dvyn2zz_QLS8zBucSVbJbkVoUeBBMZ5aVzK7yps+2Ug@mail.gmail.com>
	<2884642.1cRRdxvC51@eve>
Date: Fri, 19 Aug 2011 10:13:23 -0700
Message-ID: <CAN0CFw3uDLBB9cGdULyfMWHXjNF1Q_tf4F7yqqC+2a=sBr0umA@mail.gmail.com>
Subject: Re: [gentoo-user] {OT} rdiff-backup: push or pull?
From: Grant <emailgrant@gmail.com>
To: gentoo-user@lists.gentoo.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: 
X-Archives-Hash: d3437c73a850c9041ed683b9b79515a4

>> I created the backup users and everything works as long as the backup
>> users have shells on the backup server and are listed in AllowUsers in
>> /etc/ssh/sshd_config on the backup server. =A0Did I do something wrong
>> or should the backup users need shells and to be listed in AllowUsers?
>
> I'm not too familiar with rsync backups. A shell might be required, but i=
f you
> set the command run on the server-side in the "authorized_keys" it should
> prevent any other command from being run.

I'm actually talking about rdiff-backup.  I'm prompted for a password
if the backup user doesn't have a shell.  Are you able to rdiff-backup
without a shell on the backup server?

>> Should I set up any extra restrictions for them in sshd_config?
>
> I have disabled all password-logins and only allow shared-key logins.

I want to be prompted for a password with my normal user but I want
the backup users to be restricted.  I tried
'ChallengeResponseAuthentication no' within a Match block for a backup
user but ChallengeResponseAuthentication isn't allowed in a Match
block.  Are my options to restrict all users or none?

- Grant