I have backuppc making full backups of servers, but I'd like to be sure that my set up is as paranoid as possible. BackupPC is set up to backup via rsync, and it is set up to use a specific user on each client to be backed up. Because the backuppc client user has to have access to every file on the client machine and the ability to ssh into the machine without an interactive password, I'm a little nervous about securing the clients, and I'd like to know I haven't overlooked any options.

Here's what I have in place: in the client user's authorized_keys file, i've included from="IPTOSERVER",command="/usr/bin/rsync" before the user's public key, so that the user can only login coming from the BackupPC server.

Next, in the sudoers file, I've added this line:

backuppc ALL=NOPASSWD: /usr/bin/rsync

to allow root-level permissions only for the rsync command for that user.

Are there other user, policy, or ssh restrictions that I can add while still allowing the backup pc client user to rsync all files?