Let’s say that I have two computers on the lan. One is centos server, and another one is RPI (one) with attached usb external HDD.
I would like to backup centos user data as well as /etc folder, to the RPI by using rsync, that will be executed on RPI. Because of the /etc folder, I need a remote root access on the centos server.
Executing backup by rsyncing from centos to the RPI is not an option, because of the security. RPI will be able to connect to the centos and to send an email from the backup script. Everything else will be blocked.
Three options are coming to my mind:
sshd PermitRootLoginon on centos
create another root account on centos
use cron on centos in order to tar the /etc folder to the folder accessible by the centos backup user account
The first option is simpler. I will enable root account and then PermitRootLogin = without-password, so I will use private/public keys for accessing the centos server from RPI by using root account.
Someone could try to brake in by trying to guess root’s private/public keys which is practically impossible (considering that IP changes every 24 hours [adsl]).
The second approach is to create the second root account. This option is kind of similar to the first option, but if someone wants to brake in, it has to guess a user name as well as private/public keys.
This option is kind of a little bit more secure than the first one.
I don’t know do I have to PermitRootLogin in order to be able to connect with second root centos account from the RPI.
The third option is to prohibit root login PermitRootLogin = no, use a cron on centos to tar /etc folder to the place that is accessible by the centos backup user and then use backup user for rsyncing from RPI.
I am not sure which option is the best and the most secure.
Maybe there are more than these three options.