restricting rsync over ssh on the server side.

Dave Dykstra dwd at
Tue Jan 7 22:22:00 EST 2003

In the development version of rsync now in CVS, ssh and daemon mode can
be used together by using '-e ssh' along with '::'.  That is probably
just what Rob needs, please check it out/test it.  The documentation has
been updated to describe putting a ssh wrapper key to to restrict rsync
operations to only those defined by rsyncd.conf.

- Dave Dykstra

On Sun, Jan 05, 2003 at 01:07:30PM -0500, Aaron Morris wrote:
> I do not think you can use it with ssh, but if you use rsync in rsync 
> mode (::) instead of just an interface to rsh (:), you can limit the 
> directories where you can transfer files (using modules).  This involves 
> setting up the rsync daemon on the server side.  The rsync daemon has 
> the ability to limit connections, chroot itself, prevent the use of 
> options (such as delete), use it's own authentication, setup 
> includes/excludes on the server side, and use IP based ACLs (outside of 
> tcpwrappers).  See:  `man rsyncd.conf`
> I only mention this because I do not believe most people even realize 
> there is this other mode to rsync.  I tried describing it to a co-worker 
> who uses rsync regularly, but he kind of just stared at me blankly.
> Rob Browning wrote:
> >I was wondering if it's possible to restrict rsync in various ways on
> >the server side when it is invoked via ssh.  Two restrictions I had in
> >mind are disallowing deletes and/or restricting all actions to a
> >particular subdirectory.  I was hoping to be able to do this without
> >having to be root (for a chroot) or having to set up special sshd
> >server instances/chroots.
> >
> >If there's not already a way to do this, one possibility I had thought
> >of is a ssh key command= wrapper, so that you could generate an ssh
> >key like this:
> >
> >  command="rsync-ssh-wrapper --root=/home/foo/bar --disable-delete",...
> >
> >and then when invoked rsync-ssh-wrapper would then look at
> >SSH_ORIGINAL_COMMAND to see the actual incoming request (presuming
> >there were any relevant options there; are rsync --server invocations
> >documented anywhere?), and combine that with the wrapper options to
> >decide how to invoke rsync --server.  Of course this approach presumes
> >that rsync --server would support suitable arguments.
> >
> >Is there interest in such a facility?  It seems like something similar
> >might be useful for sftp and scp as well, but I haven't managed to
> >think of a way to implement a common solution.  Also, I could imagine
> >that this solution for rsync might be somewhat difficult to implement
> >(perhaps complicated by symlinks, etc.), but it's the best thing I've
> >thought of so far.
> >
> >Thanks
> >
> -- 
> Aaron W Morris
> decep
> PGP Key ID:  259978D1
> -- 
> To unsubscribe or change options: 
> Before posting, read:

More information about the rsync mailing list