ssh catch 22
David Tonhofer
d.tonhofer at m-plify.com
Tue Nov 7 21:53:12 GMT 2006
Ed wrote:
> Hi all,
> I'm stuck with a little dilemma and I thought someone could give me a little
> advice.
>
> Is there a way to use rsync with an ssh certificate?
>
>
There should be
> what I have:
> ----------------
> First of all I am forced to use the root account with ssh which I know is a
> big no, no, but sometimes it can't be helped.
>
(Shrug) Not such a big "no no" IMHO. We are all root sometimes.
> Second, I need to use a certificate without a password as root which is even
> worst than point one so I thought I'd secure as much as I could and did the
> following.
>
> what I did:
> --------------
> a) in the sshd_config of the destination PC I set "AllowUsers" to
> root at sourcehost
> b) in the certificate, I specified the command that could be run... the likes
> of: "command="rsync -av ./source root at desthost:/destination" ssh-rsa"
>
> my problem:
> -----------------
> Now if the command was "ls" the source would only be able to return the result
> of an "ls" on the destination PC.
>
> The problem I am facing is that my rsync command found in the certificate
> won't execute an rsync from source to destination but rather, like the "ls"
> example, it will run the command from the destination PC and thus try an
> rsync from destination to source.
>
> Was that clear? Can you advise on a way to automate an rsync via ssh?
>
> Many thanks
> -Ed
>
You want to run the rsync command upon connection. Try to use:
"command="/usr/bin/rsync --server --daemon --config=/foo/rsyncd.conf ."
,no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty
ssh-rsa [BASE64-encoded data of public key]
This will cause rsync in server mode to show up on the server side of
the encrypted connection.
Now you can configure what is possible and not through /foo/rsyncd.conf,
e.g. allow read only,
chrooting etc.
However, the client side still has to say "I want to archive", like this:
rsync -av --rsh="ssh -l SSH_USER -i /someplace_safe/ssh_id_key"
LOCAL_FILE RSYNC_USER at TARGET_MACHINE::RSYNC_MODULE
if source is LOCAL_FILE
rsync -av --rsh="ssh -l SSH_USER -i /someplace_safe/ssh_id_key"
RSYNC_USER at TARGET_MACHINE::RSYNC_MODULE LOCAL_FILE
if source is RSYNC_USER at TARGET_MACHINE::RSYNC_MODULE
Best regards,
-- David
More information about the rsync
mailing list