Running an rsync server over a remote shell program

Marc Sarrel Marc.A.Sarrel at jpl.nasa.gov
Thu Apr 17 10:36:52 EST 2003


Hi,

I'm having problems with the command= syntax in the authorized_keys 
file.  I'm running rsync 2.5.6.  I've searched the list archives for 
"authorized_keys" and "protocol version mismatch", but I can't seem 
to derive a solution from those threads.

Simply put, my goal is to let a group of 15 to 20 users update a set 
of files in a single user account on a group of remote machines that 
don't share a file system.  But, I want ssh, via the forced-command 
syntax, to allow these users only to run rsync (i.e. not get a login 
shell or run some other command).  Once that's working, I'll mess 
with rsyncd.conf to further restrict what they can do.

I'm trying to do what it says in the man page section titled "RUNNING 
AN RSYNC SERVER OVER A REMOTE SHELL PROGRAM".  I have my ssh public 
keys all distributed and rsync works fine for me if I don't use the 
forced-command syntax in the authorized_keys file.

For reference, my rsync command line looks like this:

rsync --dry-run --verbose --checksum --recursive --copy-unsafe-links 
--times --rsh=ssh --rsync-path=/usr/local/bin/rsync --delete 
--timeout=30 --ignore-times --compress /foo/bar/baz 
<ruser>@<rhost>:/home/ruser/bar

Attempt 1:

I first tried doing this in authorized_keys

command="rsync --server --daemon ." <key>

When I did that, I got the famous error:

protocol version mismatch - is your shell clean?
(see the rsync man page for an explanation)
rsync error: protocol incompatibility (code 2) at compat.c(62)

Attempt 2:

Then, I tried this in authorized keys, so I could see what the 
original command was:

command="echo $SSH_ORIGINAL_COMMAND" <key>

But, that gave the same error when I ran my rsync command:

protocol version mismatch - is your shell clean?
(see the rsync man page for an explanation)
rsync error: protocol incompatibility (code 2) at compat.c(62)

If I just ran something simple like ssh <ruser>@<rhost> foobar, it 
would print out "foobar" as expected.

Attempt 3:

Finally, I tried changing authorized_keys to:

command="/bin/true" <key>

to see if there was any garbage from my dot files.  All I saw was the 
banner message as specified in the sshd_config file with the keyword 
Banner.  That goes to stderr, not stdout if that makes a difference.

When I ran my rsync command, I got:

rsync: connection unexpectedly closed (0 bytes read so far)
rsync error: error in rsync protocol data stream (code 12) at io.c(165)

When I ran "ssh <ruser>@<rhost> foobar", all I got was the banner 
message.  If I ran just "ssh <ruser>@<rhost>", I got the banner 
followed by the line "Connection to <remote_machine> closed."

Does anyone have any ideas how I can make this work?  Is there a 
different/better way to do the same thing?  If it makes any 
difference, all machines involved are Solaris 7 and ssh is version 
3.4p1.  I'm not the admin on these machines, so a solution that does 
not require root privs would be best.

Thanks,

Marc


More information about the rsync mailing list