I setup a PoC for a pull backup with Borg Backup.
In this example a client can only reach the backup server behind a proxy server.
In this case the server where Borg Backup is running open a temporary ssh tunnel over a proxy server and start the pull backup on the client. After the backup is done, the ssh tunnel will closed. Everything runs in this scenario.
For more security I created for any action an own ssh-key. In authorized_keys I also start to add the command for every action. Without command restriction the Borg backup is running successful but with command restriction it fails every time with following message.
Remote: ssh_exchange_identification: read: Connection reset by peer
Connection closed by remote host. Is borg working on the server?
I tried different commands without success.
# example from Borg website which works on a simple scenario where borg server and client can reach the other.
command="borg serve --append-only --restrict-to-repo ~/backup/",restrict ssh-...
# to get the needed command, but no output
command="/bin/echo You invoked: $ SSH_ORIGINAL_COMMAND",restrict ssh-...
# and I also try to get the ssh command by a script, also without any record in log file
command="/home/borg/logssh.sh",restrict ssh-....
$ cat logssh.sh
#!/bin/sh
if [ -n "$SSH_ORIGINAL_COMMAND" ]
then
echo "`/bin/date`: $SSH_ORIGINAL_COMMAND" >> $HOME/ssh-command-log
exec $SSH_ORIGINAL_COMMAND
fi
Without any restrictions to the key, the script can run the pull backup with Borg Backup successful, with command restriction it fails every time.
Is there any possible solution to allow only to run the Borg Backup for this key behind the ssh tunnel or what's the correct command in this solution?
