k3nny/TISbackup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2533b56549
TISbackup/README.md
k3nny 2533b56549 feat(security): modernize SSH key algorithm support with Ed25519 
Replace deprecated DSA key support with modern SSH key algorithms,
prioritizing Ed25519 as the most secure option.

Changes:
- Add load_ssh_private_key() helper function in common.py
- Support Ed25519 (preferred), ECDSA, and RSA key types
- Remove deprecated and insecure DSA key support
- Update all SSH key loading across backup drivers:
  * common.py: do_preexec, do_postexec, run_remote_command
  * backup_mysql.py
  * backup_pgsql.py
  * backup_sqlserver.py
  * backup_oracle.py
  * backup_samba4.py
- Add ssh_port parameter to preexec/postexec connections
- Update README.md with SSH key generation instructions
- Document supported algorithms and migration path

Algorithm priority:
1. Ed25519 (most secure, modern, fast, timing-attack resistant)
2. ECDSA (secure, widely supported)
3. RSA (legacy support, requires 2048+ bits)

Security improvements:
- Eliminates vulnerable DSA algorithm (1024-bit limit, FIPS deprecated)
- Prioritizes elliptic curve cryptography (Ed25519, ECDSA)
- Provides clear error messages for unsupported key types
- Maintains backward compatibility with existing RSA keys

Documentation:
- Add SSH key generation examples to README.md
- Update expected directory structure to show Ed25519 keys
- Add migration notes in SECURITY_IMPROVEMENTS.md
- Include key generation commands for all supported types

Breaking change:
- DSA keys are no longer supported and will fail with clear error message
- Users must migrate to Ed25519, ECDSA, or RSA (4096-bit recommended)

Migration:
```bash
# Generate new Ed25519 key
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519

# Copy to remote servers
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@remote
```

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-05 01:39:17 +02:00

179 lines
4.5 KiB
Markdown
Raw Blame History

# TISBackup
This is the repository of the TISBackup project, licensed under GPLv3.
TISBackup is a python script to backup servers.
It runs at regular intervals to retrieve different data types on remote hosts
such as database dumps, files, virtual machine images and metadata.
## Install using Compose
Clone that repository and build the pod image using the provided `Dockerfile`
```bash
docker build . -t tisbackup:latest
```
In another folder, create subfolders as following
```bash
mkdir -p /var/tisbackup/{backup/log,config,ssh}/
```
Expected structure
```
/var/tisbackup/
└─backup/ <-- backup location
└─config/
├── tisbackup-config.ini <-- backups config
└── tisbackup_gui.ini <-- tisbackup config
└─ssh/
├── id_ed25519 <-- SSH Private Key (Ed25519 recommended)
└── id_ed25519.pub <-- SSH Public Key
compose.yaml
```
Adapt the compose.yml file to suits your needs, one pod act as the WebUI front end and the other as the crond scheduler
```yaml
services:
tisbackup_gui:
container_name: tisbackup_gui
image: "tisbackup:latest"
build: .
volumes:
- ./config/:/etc/tis/
- ./backup/:/backup/
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
environment:
# SECURITY: Set a unique secret key for Flask session security
# Generate with: python3 -c "import secrets; print(secrets.token_hex(32))"
- TISBACKUP_SECRET_KEY=your-secret-key-here-change-me
restart: unless-stopped
ports:
- 9980:8080
tisbackup_cron:
container_name: tisbackup_cron
image: "tisbackup:latest"
build: .
volumes:
- ./config/:/etc/tis/
- ./ssh/:/config_ssh/
- ./backup/:/backup/
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
restart: always
command: "/bin/bash /opt/tisbackup/cron.sh"
```
## Configuration
### SSH Keys
* **Generate SSH keys** (Ed25519 recommended):
```bash
# Ed25519 (most secure, recommended)
ssh-keygen -t ed25519 -f ./ssh/id_ed25519 -C "tisbackup@yourserver"
# Or ECDSA (also secure)
ssh-keygen -t ecdsa -b 521 -f ./ssh/id_ecdsa -C "tisbackup@yourserver"
# Or RSA (legacy, minimum 2048 bits)
ssh-keygen -t rsa -b 4096 -f ./ssh/id_rsa -C "tisbackup@yourserver"
```
**⚠️ Note:** DSA keys are no longer supported due to security vulnerabilities
* Copy public key to remote servers:
```bash
ssh-copy-id -i ./ssh/id_ed25519.pub root@remote-server
```
### Configuration Files
* Setup config files in the `./config` directory
* **SECURITY**: Generate and set a secure Flask secret key:
```bash
# Generate a secure random secret key
python3 -c "import secrets; print(secrets.token_hex(32))"
```
Then add it to your `compose.yml` as the `TISBACKUP_SECRET_KEY` environment variable
**tisbackup-config.ini**
```ini
[global]
backup_base_dir = /backup/
# backup retention in days
backup_retention_time=90
# for nagios check in hours
maximum_backup_age=30
[srvads-poudlard-samba]
type=rsync+ssh
server_name=srvads.poudlard.lan
remote_dir=/var/lib/samba/
compression=True
;exclude_list="/proc/**","/sys/**","/dev/**"
# Use Ed25519 key (recommended), or ECDSA/RSA (DSA not supported)
private_key=/config_ssh/id_ed25519
ssh_port = 22
```
**tisbackup_gui.ini**
```ini
[general]
config_tisbackup= /etc/tis/tisbackup-config.ini
sections=
ADMIN_EMAIL=josebove@internet.fr
base_config_dir= /etc/tis/
backup_base_dir=/backup/
```
Run!
```bash
docker compose up -d
```
## NGINX reverse-proxy
Sample config file
```nginx
server {
listen 443 ssl http2;
# Remove '#' in the next line to enable IPv6
# listen [::]:443 ssl http2;
server_name tisbackup.poudlard.lan;
ssl_certificate /etc/letsencrypt/live/tisbackup.poudlard.lan/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tisbackup.poudlard.lan/privkey.pem; # managed by Certbot
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://localhost:9980/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
```
## About
[Tranquil IT](contact_at_tranquil_it) is the original author of TISBackup.
The documentation is provided under the license CC-BY-SA and can be found
on [readthedoc](https://tisbackup.readthedocs.io/en/latest/index.html).
Reference in New Issue View Git Blame Copy Permalink