0

I want to use restic for remote backups, but seeing as SFTP and SSH will both require access to the system, is there some way to configure the SSH access to the server in such a way that the directories accessible by SSH and SFTP are protected from each other?

By that I mean connecting to the server using the SSH key for normal user logons (which grant access to a terminal) will not grant access to the directories used for the restic backup, and vice versa, ie connection with SFTP will not grant access to the terminal like the regular logon.

The idea is that if one of the keys get compromised the other will not be affected.

The only way I can think of is if the HTTP based remote server option is used, which can probably create directories that cannot be directly accessed from the regular user login.

Improve this question
4
  • 1
    What SSH server are you using? This constraint must of course be setup server-side, so it will depend on the SSH implementation on the server. Commented Feb 21, 2024 at 20:56
  • > What SSH server are you using? OpenSSH Commented Feb 22, 2024 at 5:55
  • 1
    Are you using the same user for SFTP backups and regular SSH access? Commented Feb 22, 2024 at 6:07
  • @muru To keep things simpler I would prefer to. Commented Feb 22, 2024 at 18:39

1 Answer 1

Reset to default
0

By that I mean connecting to the server using the SSH key for normal user logons (which grant access to a terminal) will not grant access to the directories used for the restic backup

Separate keys or separate ports will not help with that – you can only achieve this by creating a second user account. It is the simplest method for file access separation.

and vice versa, ie connection with SFTP will not grant access to the terminal like the regular logon.

This can be achieved through the "Forced command" setting on the server side, either in its configuration (sshd_config) or in the authorized_keys file.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.