ssh catch 22

Ed lists at precognet.com
Tue Nov 14 09:12:09 GMT 2006 

I'll be honest, I was about to send a long mail on how it still doesn't 
work... when it suddenly did! :)

So I thought some poor soul might like a step by step so here it is

192.168.1.1 is the source with the data you want
192.168.1.2 is the destination where you want the data to go

with that in mind do:

1) on the destination, create an ssh key and export the public key to the 
source

2) edit the source authorized_keys where you put your pub key and add the 
following at the start of the key: 
from="192.168.252.2",command="/usr/local/bin/valid_rsync.sh" ssh-rsa AAAA...

2a) make sure your permissions are correct or it will never work

3) still on the source, edit /etc/ssh/sshd_config and make sure you can only 
log as root to execute a command:
AllowUsers foobar root at 192.168.1.2
PermitRootLogin forced-commands-only

3a) restart ssh

4) create the script with permissions 500
# cat /usr/local/bin/valid_rsync.sh
#!/bin/sh

# Validate rsync comming from a certificate

case "$SSH_ORIGINAL_COMMAND" in
*\&*)
        echo "Rejected #1"
        ;;
*\(*)
        echo "Rejected #2"
        ;;
*\{*)
        echo "Rejected #3"
        ;;
*\;*)
        echo "Rejected #4"
        ;;
*\<*)
        echo "Rejected #5"
        ;;
*\`*)
        echo "Rejected #6"
        ;;
rsync\ --server*)
        $SSH_ORIGINAL_COMMAND
        ;;
*)
        echo "Rejected #7"
        ;;
esac

5) now on the destination server, you should be able to run the following 
command and not be prompted for a password.  I created a TEST file for the 
transfer.
rsync -a -e "ssh -i /root/.ssh/rsync-key" root at 192.168.1.1:/root/TEST .

Worked for me!

Thank you to wayne, David and Martin for helping me.

Regards,
 -Ed


On Tuesday 14 November 2006 01:20, you wrote:
> On Tue, Nov 07, 2006 at 07:19:31PM +0100, Ed wrote:
> > b) in the certificate, I specified the command that could be run... the
> > likes of: "command="rsync -av ./source root at desthost:/destination"
> > ssh-rsa"
>
> It's completely invalid to specify a client command when expecting a
> server command.  Just run rsync with 2 -v options to see the command it
> it sending to the remote system, and will will tell you what command to
> expect.  See also the support/rrsync script thta can be used as the
> forced command=/path/rrsync script to limit the rsync command(s) that
> you accept.
>
> ..wayne..

More information about the rsync mailing list