rsync support in authprogs - feedback requested
Karl O. Pinc
kop at meme.com
Thu Feb 18 15:28:06 UTC 2021
On Wed, 17 Feb 2021 21:52:06 -0800
Bri Hatch via rsync <rsync at lists.samba.org> wrote:
> I recently added initial rsync support to authprogs.
> I'd be very interested in feedback
For some 15 years+ (?) I've had a /root/.ssh/authorized keys line
that starts with:
"no-pty,no-agent-forwarding,no-port-forwarding,no-user-rc,no-X11-forwarding,command="rsync --server --daemon ."
Occasionally I frob the ssh restrictions as new ones are
introduced.
The remote end uses rsync to backup (with --link-dest) the
entire file system. The idea (iirc) was to restrict
the given key so that it would only run rsync.
And I think this also forces the local end to use
/etc/rsyncd.conf, where there's an additional layer
of security via a secrets file and read-only can
be set to provide some control.
The remote end always runs rsync -- the direction of
transfer is static, per-host-pair, but can be either
in or out. (Push or pull backups.) The above authorized_keys
line does not enforce direction, which might be useful.
I only rarely think about tweaking the authorized_keys line,
and the rsync options used haven't changed since I got them to work.
Without really thinking about it it seems that your
authprogs development might be useful.
My purpose with this email is to let you do all the
thinking and tell me of all the wonderful utility
your authprogs work can provides, either now or
in the future. ;-) Or at least give you some
background in case you want to develop in a direction
that you think would helpful to me. If something comes
of this I might even turn my brain on again and
modify my systems. :)
Regards,
Karl <kop at karlpinc.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
More information about the rsync
mailing list