Hi,
I'm trying to backup from one machine to the other (automatically via cron) using rsync and ssh password-less public key authentication.
I having been trying to set this up following an article in a Linux magazine[1] by only allowing the specific rsync command to run on the remote box.
I am using the following rsync command:
$ rsync -avz -e "ssh -i ~/.ssh/backup-key" /backup stewart@name.of.remote.server:/backup
This runs, connects using keys asking for no password and completes successfully until I add the above command to my authorized_keys file on the remote box:
command="rsync -avz -e "ssh -i ~/.ssh/backup-key" /backup stewart@name.of.remote.server:/backup" ssh-dss ... key ...
The client then says it cannot find the key, so the connection fails.
Is it because it's trying to find the private key in the ~/.ssh directory on the remote box?
Is the article wrong?
Or am I doing something wrong?
Should I use the $SSH_ORIGINAL_COMMAND variable?
Regards, Stewart Williams
[1] http://www.linuxformat.com/pdfs/download.php?PDF=LXF105.tut_backup.pdf
Tom Brown wrote:
command="rsync -avz -e "ssh -i ~/.ssh/backup-key" /backup stewart@name.of.remote.server:/backup" ssh-dss ... key ...
which user is doing this as maybe the env of that user in cron is not the same as when logged in using a shell ?
It's the same user, I haven't added the cron job yet. That's just what I intend on doing, at the moment I am having this problem from the shell.
Stewart Williams wrote:
Hi,
I'm trying to backup from one machine to the other (automatically via cron) using rsync and ssh password-less public key authentication.
I having been trying to set this up following an article in a Linux magazine[1] by only allowing the specific rsync command to run on the remote box.
I am using the following rsync command:
$ rsync -avz -e "ssh -i ~/.ssh/backup-key" /backup stewart@name.of.remote.server:/backup
This runs, connects using keys asking for no password and completes successfully until I add the above command to my authorized_keys file on the remote box:
command="rsync -avz -e "ssh -i ~/.ssh/backup-key" /backup stewart@name.of.remote.server:/backup" ssh-dss ... key ...
I think your issue is the command your specifying is only what is run on the client end, not on the server end. the server runs rsync-server, e.g. from one of my rsync servers: logrsync 5244 0.0 0.0 2152 256 ? S 14:03 0:00 rsync --server -vltpre.is --timeout=600 . /nfs/exnas/root/pixelserverlogs/transferlogs/pd3-bgas09//
the command I executed on the client is much, much bigger.
rsync -rlptve /usr/bin/hpnssh -v -o TcpRcvBufPoll=yes -o NoneEnabled=yes -o NoneSwitch=yes --timeout=600 --files-from=/home /logrsync/jobs/rsync_list_00 --log-format="[%p] %t %o %f (%l/%b)" /var/xrt/pickup logrsync@pd3-dc01rsync-vip.pod.xxx.net: /nfs/exnas/root/pixelserverlogs/PD3-BGAS09//
/home/logrsync/logs/rsync_worker_00_20090616_153501.log 2>&1
There may be other commands that are executed as well as part of the file sync process other than rsync-server.
I suggest if your really paranoid about only allowing file transfers then use the rsync protocol itself. You can encrypt it via a VPN or a ssl tunneling app like stunnel if you want.
For me I am happy with just locking the system down so only ssh keys are allowed to login. don't feel the need to try to lock down what keys a particular app can use. And even if I did it wouldn't work since there are about 120 systems that share the same private key to upload and download data to different locations(couple TB of data transferred per day).
nate
nate wrote:
Stewart Williams wrote:
Hi,
I'm trying to backup from one machine to the other (automatically via cron) using rsync and ssh password-less public key authentication.
I having been trying to set this up following an article in a Linux magazine[1] by only allowing the specific rsync command to run on the remote box.
I am using the following rsync command:
$ rsync -avz -e "ssh -i ~/.ssh/backup-key" /backup stewart@name.of.remote.server:/backup
This runs, connects using keys asking for no password and completes successfully until I add the above command to my authorized_keys file on the remote box:
command="rsync -avz -e "ssh -i ~/.ssh/backup-key" /backup stewart@name.of.remote.server:/backup" ssh-dss ... key ...
I think your issue is the command your specifying is only what is run on the client end, not on the server end. the server runs rsync-server, e.g. from one of my rsync servers: logrsync 5244 0.0 0.0 2152 256 ? S 14:03 0:00 rsync --server -vltpre.is --timeout=600 . /nfs/exnas/root/pixelserverlogs/transferlogs/pd3-bgas09//
the command I executed on the client is much, much bigger.
rsync -rlptve /usr/bin/hpnssh -v -o TcpRcvBufPoll=yes -o NoneEnabled=yes -o NoneSwitch=yes --timeout=600 --files-from=/home /logrsync/jobs/rsync_list_00 --log-format="[%p] %t %o %f (%l/%b)" /var/xrt/pickup logrsync@pd3-dc01rsync-vip.pod.xxx.net: /nfs/exnas/root/pixelserverlogs/PD3-BGAS09//
/home/logrsync/logs/rsync_worker_00_20090616_153501.log 2>&1
There may be other commands that are executed as well as part of the file sync process other than rsync-server.
I suggest if your really paranoid about only allowing file transfers then use the rsync protocol itself. You can encrypt it via a VPN or a ssl tunneling app like stunnel if you want.
For me I am happy with just locking the system down so only ssh keys are allowed to login. don't feel the need to try to lock down what keys a particular app can use. And even if I did it wouldn't work since there are about 120 systems that share the same private key to upload and download data to different locations(couple TB of data transferred per day).
nate
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I am the only user with shell access to these systems and they are on a private network, so maybe I am going a bit OTT. :)
Hi,
On Tue, Jun 16, 2009 at 16:59, Stewart Williamslists@pinkyboots.co.uk wrote:
command="rsync -avz -e "ssh -i ~/.ssh/backup-key" /backup stewart@name.of.remote.server:/backup" ssh-dss ... key ...
You actually have to include the command that rsync will call on the server side, not the command you use to call rsync on the client side...
I did some tests while running "ps -ef | grep rsync" and I believe it would be something like this: command="rsync --server -vlogDtprze.is . /backup" ssh-dss ...
HTH, Filipe
Hi,
On Tue, Jun 16, 2009 at 17:10, Filipe Brandenburgerfilbranden@gmail.com wrote:
On Tue, Jun 16, 2009 at 16:59, Stewart Williamslists@pinkyboots.co.uk wrote:
command="rsync -avz -e "ssh -i ~/.ssh/backup-key" /backup stewart@name.of.remote.server:/backup" ssh-dss ... key ...
You actually have to include the command that rsync will call on the server side, not the command you use to call rsync on the client side...
If you add "-v" to the SSH command line on the client:
$ rsync -avz -e "ssh -v -i ..."
It will print something like this:
debug1: Sending command: rsync --server -vlogDtprze.is . /backup
That is the exact string you should add to command="" on the authorized_keys file on the other end.
HTH, Filipe
Filipe Brandenburger wrote:
Hi,
On Tue, Jun 16, 2009 at 17:10, Filipe Brandenburgerfilbranden@gmail.com wrote:
On Tue, Jun 16, 2009 at 16:59, Stewart Williamslists@pinkyboots.co.uk wrote:
command="rsync -avz -e "ssh -i ~/.ssh/backup-key" /backup stewart@name.of.remote.server:/backup" ssh-dss ... key ...
You actually have to include the command that rsync will call on the server side, not the command you use to call rsync on the client side...
If you add "-v" to the SSH command line on the client:
$ rsync -avz -e "ssh -v -i ..."
It will print something like this:
debug1: Sending command: rsync --server -vlogDtprze.is . /backup
That is the exact string you should add to command="" on the authorized_keys file on the other end.
HTH, Filipe
Thank you Filipe, I will try this and let you know if it works.
On Tue, 16 Jun 2009 21:59:27 +0100 Stewart Williams lists@pinkyboots.co.uk wrote:
command="rsync -avz -e "ssh -i ~/.ssh/backup-key" /backup stewart@name.of.remote.server:/backup" ssh-dss ... key ...
well, I've never seen anything other than keys in an authorized_keys file.. (btw - use authorized_keys2 for ssh v2), but I'd hazard a guess and say that the speech marks are what could be causing it grief.
try single quotes (') around the command= bit with the double quotes around the ssh command and see if that makes a difference.
Hi,
On Tue, Jun 16, 2009 at 17:12, Spiro Harveyspiro@knossos.net.nz wrote:
well, I've never seen anything other than keys in an authorized_keys file..
See the "AUTHORIZED_KEYS FILE FORMAT" section in "man sshd".
(btw - use authorized_keys2 for ssh v2),
That file name is deprecated, the file should be named authorized_keys instead. http://marc.info/?l=openssh-unix-dev&m=100508718416162&w=2
try single quotes (') around the command= bit with the double quotes around the ssh command and see if that makes a difference.
No, AFAIK the command="..." in authorized_keys it needs double quotes. The man page implies it, and I believe I tested it with single quotes and it did not work...
HTH, Filipe
Stewart Williams wrote on Tue, 16 Jun 2009 21:59:27 +0100:
command="rsync -avz -e "ssh -i ~/.ssh/backup-key" /backup stewart@name.of.remote.server:/backup" ssh-dss ... key ...
As Nate says, the comand on the other end looks different. Here's a good explanation and also a script to check on the other side: http://troy.jdmz.net/rsync/index.html
Kai
stewart,
try this website using anything other than msie browser.
http://www.jms1.net/code/rsync-backup.shtml
this code has been most excellent for meeting many basic needs.
:-)
dont forget to give jms1 a shout of thanks
- rh
-
Filipe Brandenburger -
Kai Schaetzl -
nate -
RobertH -
Spiro Harvey -
Stewart Williams -
Tom Brown