Re: passwordless rsync?

[Rick Stevens <ricks@xxxxxxxxxxxxxx>]

On 05/28/2015 04:02 PM, Rick Stevens wrote:
> On 05/28/2015 03:38 PM, Suvayu Ali wrote:
> > Hi Alan,
> >
> > Please do not top post (please read the mailing list guidelines at the
> > bottom of each message).
> >
> > On Thu, May 28, 2015 at 02:14:16PM -0700, Alan Evans wrote:
> > > On Thu, May 28, 2015 at 1:59 PM, Dustin Kempter
> > > <dustink@xxxxxxxxxxxxxxxxxxx
> > > > wrote:
> > >
> > > > Hi all, Ive been looking into a way to run rsync from server1 to
> > > > server2
> > > > using ssh-keys
> > > > but not allowing the user from server 1 to login to server2 or to
> > > > run any
> > > > other commands
> > > > only rsync. Ive seen a few postings of how to do it, where they add a
> > > > command=“some command” line in the .ssh/authorized_keys file. But I
> > > > can’t
> > > > seem see the same result even when I copy and paste what they had. Any
> > > > advice or help would
> > > > be greatly appreciated.
> > >
> > > google "ssh-keygen". You will find things like:
> > > http://www.linuxproblem.org/art_9.html and similar.
> >
> > I believe the OP already tried that.  He mentions .ssh/authorized_keys
> > in the email.
> >
> > Dustin, I have faced this problem too!  For some reason the
> > command='somecommand' trick does not work.  I think some magic
> > incantation is missing from the docs.  I would also like to know the
> > answer to this.
>
> It absolutely works. The trick is that the
> ~username/.ssh/authorized_keys file entries should look like:
>
> command="ls -l /var" ssh-dss
> AAAAB3NzaC1kc3MAAACBAJKaULZpo3CiH2Nep14S1IZ6mhc4UkSAX0oWdYNvjH9gRzrFAXNT/Ha0xSTu6ZxPdn8zfpLZiJXxy28aP4XtzwiTIaTPG0VuUUJA1R8VJKqzBi2AMXf1sG3q+5UmCsfKaE3Eb3+7kotOsThaWNvcKuMI12kB0L6e2DT4PCZDtK7rAAAAFQCfGok/B1rqLMi3Tm4IiqMWVUXh/QAAAIBxUWgS0N3ez5ohA86V/atkG3yKoi10r0kGUE6uzLEEOH8A+ftyRrMfkUm2EAKLH29u8Eaq6h7wwmtzDQsYrn8nBN6J6DimpOMmB4FnYwELVh2Dl8xcaNiQJJxeWdlUJO6imwvZskZI1LKfNhs4l40hx1vSDkoRI8BNIncXoUbz7QAAAIAv79gtfuKrlx9Ygr+t/Tj7YGP8z6wKYdA/3Of6LdIQ3N9r4p39WIkBPuOyC+UO7cO9/odo+yu+mCeJ8M0ABBcIGQdjx9LRVtin5QrETRZ7dKeUhSTnCvB1iVl0tXxH7aX5VTe0lmGawC3NXfwcsNy6ceGqHLyL9BiV9BbxQtp4KQ==
> root@xxxxxxxxxxxxxxxxxxxxxxx
>
> The above example allows root on my desktop to log into my laptop and
> is an example of an ssh V2 entry using DSA encryption (yes, I know it's
> not good for root, but both are behind several layers of firewalls and
> I'm safe).
>
> Note that the 'command="some command"' is the FIRST field in a given
> key stanza, followed by a space, the key type, a space, the key, a
> space, then the comment (typically the name of the key). If I log into
> my laptop from my desktop with that entry in the laptop's
> "~root/.ssh/authorized_keys" file, this happens:
>
> [root@prophead local]# ssh golem4
> total 112
> drwxr-xr-x.   2 root root  4096 Aug 17  2014 account
> drwxr-xr-x.   2 root root  4096 Nov 18  2014 adm
> drwxr-xr-x.  25 root root  4096 Jan  9 13:53 cache
> drwxr-xr-x.   2 root root  4096 Jan 12 21:59 crash
> drwxr-xr-x.   3 root root  4096 Mar 10 10:13 db
> drwxr-xr-x.   3 root root  4096 Jan 13 14:16 empty
> drwxr-xr-x.   3 root root  4096 Aug 18  2014 ftp
> drwxr-xr-x.   2 root root  4096 Nov 18  2014 games
> drwx--x--x    2 gdm  gdm   4096 Jul 29  2013 gdm
> drwxr-xr-x.   2 root root  4096 Nov 18  2014 gopher
> drwxr-xr-x.   3 root root  4096 Mar 17 09:49 kerberos
> drwxr-xr-x.  80 root root  4096 May 28 03:22 lib
> drwxr-xr-x.   2 root root  4096 Nov 18  2014 local
> lrwxrwxrwx.   1 root root    11 May 13  2011 lock -> ../run/lock
> drwxr-xr-x.  34 root root 12288 May 28 03:22 log
> lrwxrwxrwx    1 root root    10 Nov 18  2014 mail -> spool/mail
> drwxr-xr-x.   2 root root  4096 Nov 18  2014 nis
> drwxr-xr-x.   2 root root  4096 Nov 18  2014 opt
> drwxr-xr-x.   2 root root  4096 Nov 18  2014 preserve
> lrwxrwxrwx.   1 root root     6 May 13  2011 run -> ../run
> drwxr-xr-x.  16 root root  4096 Nov 18  2014 spool
> drwxrwxrwt. 276 root root 20480 May 27 14:47 tmp
> drwxr-xr-x.   6 root root  4096 Dec 17 02:07 www
> drwxr-xr-x.   2 root root  4096 Nov 18  2014 yp
> Connection to golem4 closed.
> [root@prophead local]#
>
> If I remove the 'command="ls -l /var"' bit and log in again:
>
> [root@prophead local]# ssh golem4
> Last login: Thu May 28 15:57:44 2015 from 192.168.1.50
> [root@golem4 ~]#
>
> Eh, voila!

I should also mention that this IS described in the
"AUTHORIZED_KEYS FILE FORMAT" section of "man sshd". Perhaps the "magic
incantation" you referred to is that the "command=" stuff goes into the
"options" field of the stanza (as do the other items in that part of
the man page, with multiple options separated by commas).
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    ricks@xxxxxxxxxxxxxx -
- AIM/Skype: therps2        ICQ: 226437340           Yahoo: origrps2 -
-                                                                    -
-   NEWS FLASH! Intelligence of mankind decreasing!  Details at...   -
-     uh, when, uh, the little hand is, uh, on the...  Aw, NUTS!     -
----------------------------------------------------------------------
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org