1SSH_FILTER_BTRBK(1) Btrbk Manual SSH_FILTER_BTRBK(1)
2
3
4
6 ssh_filter_btrbk - ssh command filter script for btrbk
7
9 ssh_filter_btrbk.sh [-s|--source] [-t|--target] [-d|--delete]
10 [-i|--info] [--snapshot] [--send] [--receive]
11 [-p|--restrict-path <path>] [-l|--log] [--sudo]
12
14 ssh_filter_btrbk.sh restricts SSH commands to commands used by btrbk.
15 It examines the SSH_ORIGINAL_COMMAND environment variable (set by sshd)
16 and executes it only if it contains commands used by btrbk.
17
18 The accepted commands are specified by the "--source", "--target",
19 "--delete" and "--info" options.
20
21 The following commands are always allowed:
22
23 • "btrfs subvolume show"
24
25 • "btrfs subvolume list"
26
27 • "readlink"
28
29 • "cat /proc/self/mountinfo"
30
31 • pipes through "gzip", "pigz", "bzip2", "pbzip2", "xz", "lzop",
32 "lz4" (stream_compress)
33
34 • pipes through "mbuffer" (stream_buffer)
35
36 • pipes through "pv -L" (rate_limit)
37
38 Example line in /root/.ssh/authorized_keys on a backup target host:
39
40 command="ssh_filter_btrbk.sh --target --delete --restrict-path /mnt/btr_backup" ssh-rsa AAAAB3NzaC1...hwumXFRQBL btrbk@mydomain.com
41
43 -s, --source
44 Allow commands for backup source: "btrfs subvolume snapshot",
45 "btrfs send". Equivalent to "--snapshot --send".
46
47 -t, --target
48 Allow commands for backup target: "btrfs receive".
49
50 -d, --delete
51 Allow commands for subvolume deletion: "btrfs subvolume delete".
52 This is used for backup source if snapshot_preserve_daily is not
53 set to “all”, and for backup targets if target_preserve_daily is
54 not set to “all”.
55
56 -i, --info
57 Allow informative commands: "btrfs subvolume find-new", "btrfs
58 filesystem usage". This is used by btrbk info and diff commands.
59
60 --snapshot
61 Allow btrfs snapshot command: "btrfs subvolume snapshot".
62
63 --send
64 Allow btrfs send command: "btrfs send".
65
66 --receive
67 Allow btrfs receive command: "btrfs receive".
68
69 -p, --restrict-path <path>
70 Restrict btrfs commands to <path>.
71
72 -l, --log
73 Log ACCEPT and REJECT messages to the system log.
74
75 --sudo
76 Allow btrfs commands to be called via sudo. Enable this if you have
77 "backend btrfs-progs-sudo" in your btrbk configuration file.
78
80 Please refer to the btrbk project page https://digint.ch/btrbk/ for
81 further details.
82
84 btrbk(1), btrbk.conf(5), btrfs(8)
85
87 Axel Burri axel@tty0.ch
88
89
90
91Btrbk 0.28.3 2019-07-28 SSH_FILTER_BTRBK(1)