Re: Rsync, SSH and authorized_keys problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



nate wrote:
> Stewart Williams wrote:
>> Hi,
>>
>> I'm trying to backup from one machine to the other (automatically via
>> cron) using rsync and ssh password-less public key authentication.
>>
>> I having been trying to set this up following an article in a Linux
>> magazine[1] by only allowing the specific rsync command to run on the
>> remote box.
>>
>> I am using the following rsync command:
>>
>> $ rsync -avz -e "ssh -i ~/.ssh/backup-key" /backup
>> stewart@xxxxxxxxxxxxxxxxxxxxx:/backup
>>
>> This runs, connects using keys asking for no password and completes
>> successfully until I add the above command to my authorized_keys file on
>> the remote box:
>>
>> command="rsync -avz -e "ssh -i ~/.ssh/backup-key" /backup
>> stewart@xxxxxxxxxxxxxxxxxxxxx:/backup" ssh-dss ... key ...
> 
> I think your issue is the command your specifying is only what
> is run on the client end, not on the server end. the server
> runs rsync-server, e.g. from one of my rsync servers:
> logrsync  5244  0.0  0.0   2152   256 ?        S    14:03   0:00 rsync
> --server -vltpre.is --timeout=600 .
> /nfs/exnas/root/pixelserverlogs/transferlogs/pd3-bgas09//
> 
> the command I executed on the client is much, much bigger.
> 
> rsync -rlptve /usr/bin/hpnssh -v -o TcpRcvBufPoll=yes -o NoneEnabled=yes -o
> NoneSwitch=yes --timeout=600  --files-from=/home
> /logrsync/jobs/rsync_list_00 --log-format="[%p] %t %o %f (%l/%b)"
> /var/xrt/pickup logrsync@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx:
> /nfs/exnas/root/pixelserverlogs/PD3-BGAS09//
>>> /home/logrsync/logs/rsync_worker_00_20090616_153501.log 2>&1
> 
> There may be other commands that are executed as well  as part of
> the file sync process other than rsync-server.
> 
> I suggest if your really paranoid about only allowing file transfers
> then use the rsync protocol itself. You can encrypt it via a VPN
> or a ssl tunneling app like stunnel if you want.
> 
> For me I am happy with just locking the system down so only ssh
> keys are allowed to login. don't feel the need to try to lock down
> what keys a particular app can use. And even if I did it wouldn't
> work since there are about 120 systems that share the same private
> key to upload and download data to different locations(couple TB
> of data transferred per day).
> 
> nate
> 
> 
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
> 

I am the only user with shell access to these systems and they are on a
private network, so maybe I am going a bit OTT. :)
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux