ssh catch 22

David Tonhofer d.tonhofer at m-plify.com
Tue Nov 7 21:53:12 GMT 2006 

Ed wrote:
> Hi all,
> I'm stuck with a little dilemma and I thought someone could give me a little 
> advice.
>
> Is there a way to use rsync with an ssh certificate?
>
>   
There should be

> what I have:
> ----------------
> First of all I am forced to use the root account with ssh which I know is a 
> big no, no, but sometimes it can't be helped.
>   
(Shrug) Not such a big "no no" IMHO. We are all root sometimes.

> Second, I need to use a certificate without a password as root which is even 
> worst than point one so I thought I'd secure as much as I could and did the 
> following.
>
> what I did:
> --------------
> a) in the sshd_config of the destination PC I set "AllowUsers" to 
> root at sourcehost
> b) in the certificate, I specified the command that could be run... the likes 
> of: "command="rsync -av ./source root at desthost:/destination" ssh-rsa"
>
> my problem:
> -----------------
> Now if the command was "ls" the source would only be able to return the result 
> of an "ls" on the destination PC.  
>
> The problem I am facing is that my rsync command found in the certificate 
> won't execute an rsync from source to destination but rather, like the "ls" 
> example, it will run the command from the destination PC and thus try an 
> rsync from destination to source.
>
> Was that clear?  Can you advise on a way to automate an rsync via ssh?
>
> Many thanks
>  -Ed
>   
You want to run the rsync command upon connection. Try to use:

"command="/usr/bin/rsync --server --daemon --config=/foo/rsyncd.conf ."  
,no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty
  ssh-rsa [BASE64-encoded data of public key]

This will cause rsync in server mode to show up on the server side of 
the encrypted connection.
Now you can configure what is possible and not through /foo/rsyncd.conf, 
e.g. allow read only,
chrooting etc.

However, the client side still has to say "I want to archive", like this:

rsync -av --rsh="ssh -l SSH_USER -i /someplace_safe/ssh_id_key" 
LOCAL_FILE RSYNC_USER at TARGET_MACHINE::RSYNC_MODULE

if source is LOCAL_FILE

rsync -av --rsh="ssh -l SSH_USER -i /someplace_safe/ssh_id_key" 
RSYNC_USER at TARGET_MACHINE::RSYNC_MODULE LOCAL_FILE

if source is RSYNC_USER at TARGET_MACHINE::RSYNC_MODULE

Best regards,

-- David

More information about the rsync mailing list