Running an rsync server over a remote shell program
Marc Sarrel
Marc.A.Sarrel at jpl.nasa.gov
Thu Apr 17 10:36:52 EST 2003
Hi,
I'm having problems with the command= syntax in the authorized_keys
file. I'm running rsync 2.5.6. I've searched the list archives for
"authorized_keys" and "protocol version mismatch", but I can't seem
to derive a solution from those threads.
Simply put, my goal is to let a group of 15 to 20 users update a set
of files in a single user account on a group of remote machines that
don't share a file system. But, I want ssh, via the forced-command
syntax, to allow these users only to run rsync (i.e. not get a login
shell or run some other command). Once that's working, I'll mess
with rsyncd.conf to further restrict what they can do.
I'm trying to do what it says in the man page section titled "RUNNING
AN RSYNC SERVER OVER A REMOTE SHELL PROGRAM". I have my ssh public
keys all distributed and rsync works fine for me if I don't use the
forced-command syntax in the authorized_keys file.
For reference, my rsync command line looks like this:
rsync --dry-run --verbose --checksum --recursive --copy-unsafe-links
--times --rsh=ssh --rsync-path=/usr/local/bin/rsync --delete
--timeout=30 --ignore-times --compress /foo/bar/baz
<ruser>@<rhost>:/home/ruser/bar
Attempt 1:
I first tried doing this in authorized_keys
command="rsync --server --daemon ." <key>
When I did that, I got the famous error:
protocol version mismatch - is your shell clean?
(see the rsync man page for an explanation)
rsync error: protocol incompatibility (code 2) at compat.c(62)
Attempt 2:
Then, I tried this in authorized keys, so I could see what the
original command was:
command="echo $SSH_ORIGINAL_COMMAND" <key>
But, that gave the same error when I ran my rsync command:
protocol version mismatch - is your shell clean?
(see the rsync man page for an explanation)
rsync error: protocol incompatibility (code 2) at compat.c(62)
If I just ran something simple like ssh <ruser>@<rhost> foobar, it
would print out "foobar" as expected.
Attempt 3:
Finally, I tried changing authorized_keys to:
command="/bin/true" <key>
to see if there was any garbage from my dot files. All I saw was the
banner message as specified in the sshd_config file with the keyword
Banner. That goes to stderr, not stdout if that makes a difference.
When I ran my rsync command, I got:
rsync: connection unexpectedly closed (0 bytes read so far)
rsync error: error in rsync protocol data stream (code 12) at io.c(165)
When I ran "ssh <ruser>@<rhost> foobar", all I got was the banner
message. If I ran just "ssh <ruser>@<rhost>", I got the banner
followed by the line "Connection to <remote_machine> closed."
Does anyone have any ideas how I can make this work? Is there a
different/better way to do the same thing? If it makes any
difference, all machines involved are Solaris 7 and ssh is version
3.4p1. I'm not the admin on these machines, so a solution that does
not require root privs would be best.
Thanks,
Marc
More information about the rsync
mailing list