ssh catch 22

David Tonhofer d.tonhofer at
Tue Nov 7 21:53:12 GMT 2006

Ed wrote:
> Hi all,
> I'm stuck with a little dilemma and I thought someone could give me a little 
> advice.
> Is there a way to use rsync with an ssh certificate?
There should be

> what I have:
> ----------------
> First of all I am forced to use the root account with ssh which I know is a 
> big no, no, but sometimes it can't be helped.
(Shrug) Not such a big "no no" IMHO. We are all root sometimes.

> Second, I need to use a certificate without a password as root which is even 
> worst than point one so I thought I'd secure as much as I could and did the 
> following.
> what I did:
> --------------
> a) in the sshd_config of the destination PC I set "AllowUsers" to 
> root at sourcehost
> b) in the certificate, I specified the command that could be run... the likes 
> of: "command="rsync -av ./source root at desthost:/destination" ssh-rsa"
> my problem:
> -----------------
> Now if the command was "ls" the source would only be able to return the result 
> of an "ls" on the destination PC.  
> The problem I am facing is that my rsync command found in the certificate 
> won't execute an rsync from source to destination but rather, like the "ls" 
> example, it will run the command from the destination PC and thus try an 
> rsync from destination to source.
> Was that clear?  Can you advise on a way to automate an rsync via ssh?
> Many thanks
>  -Ed
You want to run the rsync command upon connection. Try to use:

"command="/usr/bin/rsync --server --daemon --config=/foo/rsyncd.conf ."  
  ssh-rsa [BASE64-encoded data of public key]

This will cause rsync in server mode to show up on the server side of 
the encrypted connection.
Now you can configure what is possible and not through /foo/rsyncd.conf, 
e.g. allow read only,
chrooting etc.

However, the client side still has to say "I want to archive", like this:

rsync -av --rsh="ssh -l SSH_USER -i /someplace_safe/ssh_id_key" 

if source is LOCAL_FILE

rsync -av --rsh="ssh -l SSH_USER -i /someplace_safe/ssh_id_key" 


Best regards,

-- David

More information about the rsync mailing list