I wish to replicate the file system storage/photos
from source
to destination
without enabling ssh login as root. I've tried a number of different combinations such as:
sudo zfs send -R storage/photos@frequent_2015-02-12_18:15 | ssh example.com sudo zfs recieve storage/photos
sudo zfs send -R storage/photos@frequent_2015-02-12_18:15 | ssh example.com su -c zfs recieve storage/photos
sudo zfs send -R storage/photos@frequent_2015-02-12_18:15 | ssh example.com 'sudo -S zfs recieve storage/photos <~/topsecret'
I can't use sudo -S to pass the password as the zfs stream is already hooked up to the standard input. And the two examples above that expects an interactive terminal and not stdin.
Perhaps it's silly not to want to enable root login on a server. But it leaves one more thing for a brute force attacker to guess which is nice.
Best Answer
This doesn't completely remove root login, but it does secure things beyond a full-featured login.
Set up an SSH trust by copying the local user's public key (usually
~/.ssh/id_rsa.pub
) to the authorized_keys file (~/.ssh/authorized_keys
) for the remote user. This eliminates password prompts, and improves security as SSH keys are harder to bruteforce. You probably also want to make sure thatsshd_config
hasPermitRootLogin without-password
-- this restricts remote root logins to SSH keys only (even the correct password will fail).You can then add security by using the
ForceCommand
directive in the authorized_keys file to permit only the zfs command to be executed.