I used to have remote backup repositories with the following in /etc/ssh/sshd_config:
ChrootDirectory %h
ForceCommand internal-sftp
Since I reinstalled my freedombox, I had not setup the backup again. The address is of the form user@192.168.55.55:~/backup/. I try it now and I have this:
If I change the configuration of sshd and remove the two above restrictions, it works.
Was something changed so that it has become not possible to restrict to sftp? Or is the chroot the problem?
My backup machine is used for many things, so I don’t like to allow users supposed to do a backup in one place to access anywhere, and even run a shell. Is there a way to avoid that?
EDIT: I tried creating the repository with the restrictions on sshd removed, then putting the restrictions on sshd back and doing a backup. That seems to be successful. So that could be the solution, although it looks a bit strange.
If I change the configuration of sshd and remove the two above restrictions, it works.
You may need to do all the key exchange steps. Have a look at FreedomBox Manual section 15.6 SSH Keys. Do the steps in both directions so that you have known keys, known hosts, etc. from backup client to FreedomBox and also FreedomBox to backup client.
Enable password authentication for SSH before you do these steps.
Actually, even when the addition of the remote backup repository fails, the ssh host keys are successfully verified, as confirmed by the web interface (“SSH host already verified”).
I previously made myself a procedure to setup sshd on a GNU/Linux computer, with an account restricted to sftp and restricted to the home directory (the main difficulty is to get permissions right), and setup a remote backup repository on it form freedombox. I applied that procedure several times and it always worked, until now. This is why I conclude that something has changed in Freedombox.
I still can make it work by removing the restriction to sftp and the home directory, adding the remote backup repository, and putting the restrictions back, then making a backup still works.
That is general information on using ssh keys to log in to Freedombox, and is valid for ssh to any machine, but for backups, the web interface of Freedombox actually (unfortunately) does not support using ssh keys to add a remote backup repository.
