Re: Rsync, SSH and authorized_keys problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Stewart Williams wrote:
> Hi,
>
> I'm trying to backup from one machine to the other (automatically via
> cron) using rsync and ssh password-less public key authentication.
>
> I having been trying to set this up following an article in a Linux
> magazine[1] by only allowing the specific rsync command to run on the
> remote box.
>
> I am using the following rsync command:
>
> $ rsync -avz -e "ssh -i ~/.ssh/backup-key" /backup
> stewart@xxxxxxxxxxxxxxxxxxxxx:/backup
>
> This runs, connects using keys asking for no password and completes
> successfully until I add the above command to my authorized_keys file on
> the remote box:
>
> command="rsync -avz -e "ssh -i ~/.ssh/backup-key" /backup
> stewart@xxxxxxxxxxxxxxxxxxxxx:/backup" ssh-dss ... key ...

I think your issue is the command your specifying is only what
is run on the client end, not on the server end. the server
runs rsync-server, e.g. from one of my rsync servers:
logrsync  5244  0.0  0.0   2152   256 ?        S    14:03   0:00 rsync
--server -vltpre.is --timeout=600 .
/nfs/exnas/root/pixelserverlogs/transferlogs/pd3-bgas09//

the command I executed on the client is much, much bigger.

rsync -rlptve /usr/bin/hpnssh -v -o TcpRcvBufPoll=yes -o NoneEnabled=yes -o
NoneSwitch=yes --timeout=600  --files-from=/home
/logrsync/jobs/rsync_list_00 --log-format="[%p] %t %o %f (%l/%b)"
/var/xrt/pickup logrsync@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx:
/nfs/exnas/root/pixelserverlogs/PD3-BGAS09//
>>/home/logrsync/logs/rsync_worker_00_20090616_153501.log 2>&1

There may be other commands that are executed as well  as part of
the file sync process other than rsync-server.

I suggest if your really paranoid about only allowing file transfers
then use the rsync protocol itself. You can encrypt it via a VPN
or a ssl tunneling app like stunnel if you want.

For me I am happy with just locking the system down so only ssh
keys are allowed to login. don't feel the need to try to lock down
what keys a particular app can use. And even if I did it wouldn't
work since there are about 120 systems that share the same private
key to upload and download data to different locations(couple TB
of data transferred per day).

nate


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux