TISbackup

Author	SHA1	Message	Date
k3nny	2533b56549	feat(security): modernize SSH key algorithm support with Ed25519 Replace deprecated DSA key support with modern SSH key algorithms, prioritizing Ed25519 as the most secure option. Changes: - Add load_ssh_private_key() helper function in common.py - Support Ed25519 (preferred), ECDSA, and RSA key types - Remove deprecated and insecure DSA key support - Update all SSH key loading across backup drivers: * common.py: do_preexec, do_postexec, run_remote_command * backup_mysql.py * backup_pgsql.py * backup_sqlserver.py * backup_oracle.py * backup_samba4.py - Add ssh_port parameter to preexec/postexec connections - Update README.md with SSH key generation instructions - Document supported algorithms and migration path Algorithm priority: 1. Ed25519 (most secure, modern, fast, timing-attack resistant) 2. ECDSA (secure, widely supported) 3. RSA (legacy support, requires 2048+ bits) Security improvements: - Eliminates vulnerable DSA algorithm (1024-bit limit, FIPS deprecated) - Prioritizes elliptic curve cryptography (Ed25519, ECDSA) - Provides clear error messages for unsupported key types - Maintains backward compatibility with existing RSA keys Documentation: - Add SSH key generation examples to README.md - Update expected directory structure to show Ed25519 keys - Add migration notes in SECURITY_IMPROVEMENTS.md - Include key generation commands for all supported types Breaking change: - DSA keys are no longer supported and will fail with clear error message - Users must migrate to Ed25519, ECDSA, or RSA (4096-bit recommended) Migration: ```bash # Generate new Ed25519 key ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 # Copy to remote servers ssh-copy-id -i ~/.ssh/id_ed25519.pub user@remote ``` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-10-05 01:39:17 +02:00
k3nny	68ff4238e0	fix(security): remove hardcoded Flask secret key Replace hardcoded Flask secret key with environment variable to prevent session hijacking and CSRF attacks. Changes: - Load secret key from TISBACKUP_SECRET_KEY environment variable - Fall back to cryptographically secure random key using secrets module - Log warning when random key is used (sessions won't persist) - Add environment variable example to README.md Docker Compose config - Add setup instructions in Configuration section Security improvements: - Eliminates hardcoded secret in source code - Uses secrets.token_hex(32) for cryptographically strong random generation - Sessions remain secure even without env var (though won't persist) - Prevents session hijacking and CSRF bypass attacks Documentation: - Update README.md with TISBACKUP_SECRET_KEY setup instructions - Include command to generate secure random key - Update SECURITY_IMPROVEMENTS.md with implementation details - Mark hardcoded secret key issue as resolved Setup: ```bash # Generate secure key python3 -c "import secrets; print(secrets.token_hex(32))" # Set in environment export TISBACKUP_SECRET_KEY=your-key-here ``` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-10-05 01:29:16 +02:00
k3nny	da50051a3f	Python 3.13 + add nginx reverse-proxy All checks were successful lint / docker (push) Successful in 14m2s Details	2025-03-07 22:24:27 +01:00
k3nny	8ef9bbde06	improve README.md All checks were successful lint / docker (push) Successful in 9m15s Details	2024-11-30 00:20:51 +01:00
Vincent CARDON	4e4165958b	README.md and tranquil-it-contacts.rst	2020-11-23 15:34:28 +01:00
Vincent CARDON	ee7dd47a3b	Mise à jour de 'README.md'	2020-11-20 14:52:00 +01:00
Vincent CARDON	90631ba547	README.md	2020-11-20 10:58:47 +01:00
ssamson-tis	22cbd2ff07	Modification du README	2013-05-23 10:24:24 +02:00
ssamson-tis	bd05ae8f25	Fist commit	2013-05-23 10:19:43 +02:00
Vincent CARDON	cd150a78f2	Initial commit	2012-08-30 08:34:39 -07:00

10 Commits