rsync support in authprogs - feedback requested

Bri Hatch bri at ifokr.org
Thu Feb 18 05:52:06 UTC 2021 

Authprogs <https://github.com/daethnir/authprogs/> is a general purpose SSH
command authenticator; it allows you to restrict what commands are allowed
for a given SSH key. It's installable via pip and is in recent Debian and
Ubuntu.

I recently added initial rsync support to authprogs. My goal is to make it
an improvement over  rrsync, providing more than just upload vs download
and directory support.


I'd be very interested in feedback from two communities:

* end users/admins who would be interested in the functionality, and
* developers to help sanity check the implementation

While authprogs has been around for many years, this is the first version
that supports rsync natively. Here's an example config:

from:
    - 10.1.0.0/16
    - 192.168.0.15
allow:
    # Allow rsync to recursively sync /tmp/foo/ to the server
    # including all the bits you get with '-a', but do not
    # allow downloads
    - rule_type: rsync
      allow_upload: true
      allow_recursion: true
      allow_archive: true
      paths:
        - /tmp/foo

    # Allow upload to some specific /srv/htdocs files and
    # any files/directories under /data/lhc/
    #
    # Allow setting times, owner, and group, but no other options
    - rule_type: rsync
      allow_upload: true
      allow_owner: true
      allow_group: true
      allow_times: true
      paths:
        - /srv/htdocs/index.html
        - /srv/htdocs/status.html
      path_startswith:
        - /data/lhc/


I've just started scratching the surface of the server-side options of
rsync, but have implemented all the most common ones (-a, -logptrD, --del,
--delete-*, -vvvv, etc).

The rsync docs are at
https://github.com/daethnir/authprogs/blob/main/doc/authprogs.md#rsync-subrules


Feedback heartily requested.


-- 
Bri Hatch, Systems and Security Engineer. http://www.ifokr.org/bri/

The sooner you fall behind, the more time you'll have to catch up.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/rsync/attachments/20210217/7a33ce45/attachment.htm>

More information about the rsync mailing list