Re: passwordless rsync?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 05/28/2015 03:38 PM, Suvayu Ali wrote:

Hi Alan,

Please do not top post (please read the mailing list guidelines at the
bottom of each message).

On Thu, May 28, 2015 at 02:14:16PM -0700, Alan Evans wrote:

On Thu, May 28, 2015 at 1:59 PM, Dustin Kempter <dustink@xxxxxxxxxxxxxxxxxxx

wrote:



Hi all, Ive been looking into a way to run rsync from server1 to server2
using ssh-keys
but not allowing the user from server 1 to login to server2 or to run any
other commands
only rsync. Ive seen a few postings of how to do it, where they add a
command=“some command” line in the .ssh/authorized_keys file. But I can’t
seem see the same result even when I copy and paste what they had. Any
advice or help would
be greatly appreciated.


google "ssh-keygen". You will find things like:
http://www.linuxproblem.org/art_9.html and similar.


I believe the OP already tried that.  He mentions .ssh/authorized_keys
in the email.

Dustin, I have faced this problem too!  For some reason the
command='somecommand' trick does not work.  I think some magic
incantation is missing from the docs.  I would also like to know the
answer to this.
It absolutely works. The trick is that the ~username/.ssh/authorized_keys file entries should look like:
command="ls -l /var" ssh-dss AAAAB3NzaC1kc3MAAACBAJKaULZpo3CiH2Nep14S1IZ6mhc4UkSAX0oWdYNvjH9gRzrFAXNT/Ha0xSTu6ZxPdn8zfpLZiJXxy28aP4XtzwiTIaTPG0VuUUJA1R8VJKqzBi2AMXf1sG3q+5UmCsfKaE3Eb3+7kotOsThaWNvcKuMI12kB0L6e2DT4PCZDtK7rAAAAFQCfGok/B1rqLMi3Tm4IiqMWVUXh/QAAAIBxUWgS0N3ez5ohA86V/atkG3yKoi10r0kGUE6uzLEEOH8A+ftyRrMfkUm2EAKLH29u8Eaq6h7wwmtzDQsYrn8nBN6J6DimpOMmB4FnYwELVh2Dl8xcaNiQJJxeWdlUJO6imwvZskZI1LKfNhs4l40hx1vSDkoRI8BNIncXoUbz7QAAAIAv79gtfuKrlx9Ygr+t/Tj7YGP8z6wKYdA/3Of6LdIQ3N9r4p39WIkBPuOyC+UO7cO9/odo+yu+mCeJ8M0ABBcIGQdjx9LRVtin5QrETRZ7dKeUhSTnCvB1iVl0tXxH7aX5VTe0lmGawC3NXfwcsNy6ceGqHLyL9BiV9BbxQtp4KQ== root@xxxxxxxxxxxxxxxxxxxxxxx 

The above example allows root on my desktop to log into my laptop and
is an example of an ssh V2 entry using DSA encryption (yes, I know it's
not good for root, but both are behind several layers of firewalls and
I'm safe).

Note that the 'command="some command"' is the FIRST field in a given
key stanza, followed by a space, the key type, a space, the key, a
space, then the comment (typically the name of the key). If I log into
my laptop from my desktop with that entry in the laptop's
"~root/.ssh/authorized_keys" file, this happens:

[root@prophead local]# ssh golem4
total 112
drwxr-xr-x.   2 root root  4096 Aug 17  2014 account
drwxr-xr-x.   2 root root  4096 Nov 18  2014 adm
drwxr-xr-x.  25 root root  4096 Jan  9 13:53 cache
drwxr-xr-x.   2 root root  4096 Jan 12 21:59 crash
drwxr-xr-x.   3 root root  4096 Mar 10 10:13 db
drwxr-xr-x.   3 root root  4096 Jan 13 14:16 empty
drwxr-xr-x.   3 root root  4096 Aug 18  2014 ftp
drwxr-xr-x.   2 root root  4096 Nov 18  2014 games
drwx--x--x    2 gdm  gdm   4096 Jul 29  2013 gdm
drwxr-xr-x.   2 root root  4096 Nov 18  2014 gopher
drwxr-xr-x.   3 root root  4096 Mar 17 09:49 kerberos
drwxr-xr-x.  80 root root  4096 May 28 03:22 lib
drwxr-xr-x.   2 root root  4096 Nov 18  2014 local
lrwxrwxrwx.   1 root root    11 May 13  2011 lock -> ../run/lock
drwxr-xr-x.  34 root root 12288 May 28 03:22 log
lrwxrwxrwx    1 root root    10 Nov 18  2014 mail -> spool/mail
drwxr-xr-x.   2 root root  4096 Nov 18  2014 nis
drwxr-xr-x.   2 root root  4096 Nov 18  2014 opt
drwxr-xr-x.   2 root root  4096 Nov 18  2014 preserve
lrwxrwxrwx.   1 root root     6 May 13  2011 run -> ../run
drwxr-xr-x.  16 root root  4096 Nov 18  2014 spool
drwxrwxrwt. 276 root root 20480 May 27 14:47 tmp
drwxr-xr-x.   6 root root  4096 Dec 17 02:07 www
drwxr-xr-x.   2 root root  4096 Nov 18  2014 yp
Connection to golem4 closed.
[root@prophead local]#

If I remove the 'command="ls -l /var"' bit and log in again:

[root@prophead local]# ssh golem4
Last login: Thu May 28 15:57:44 2015 from 192.168.1.50
[root@golem4 ~]#

Eh, voila!
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    ricks@xxxxxxxxxxxxxx -
- AIM/Skype: therps2        ICQ: 226437340           Yahoo: origrps2 -
-                                                                    -
-   Never test for an error condition you don't know how to handle.  -
----------------------------------------------------------------------
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux