I want to secure some remote rsyncs over ssh by using the command= option in .authorized_keys. As I understand I can use only the full command there, as it is not a list of "allowed commands" but the command that will be executed when logging in with this key. Now, I'm running several rsync commands on individual directories in the root, not just one command. I do that to pull different exclude lists in. I want to exclude nothing in some directories and a few different things in other directories. rsyncing per /rooted directory seems to be the cleanest and easiest way. All other combinations of complicated exclude/include lists may have unexpected results. I thought about putting the remote command in a shell script. However, I think this won't work as each rsync on the remote side will be executed with the first rsync command in the script on the local side. Is there a solution (besides using several keys or so)?
Kai
On Tue, 29 Jul 2008, Kai Schaetzl wrote:
I want to secure some remote rsyncs over ssh by using the command= option in .authorized_keys. As I understand I can use only the full command there, as it is not a list of "allowed commands" but the command that will be executed when logging in with this key. Now, I'm running several rsync commands on individual directories in the root, not just one command. I do that to pull different exclude lists in. I want to exclude nothing in some directories and a few different things in other directories. rsyncing per /rooted directory seems to be the cleanest and easiest way. All other combinations of complicated exclude/include lists may have unexpected results. I thought about putting the remote command in a shell script. However, I think this won't work as each rsync on the remote side will be executed with the first rsync command in the script on the local side. Is there a solution (besides using several keys or so)?
Kai
-- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
By 'secure some remote rsyncs' do you mean only allow rsync but not interactive login? If so perhaps this will meet your needs: http://troy.jdmz.net/rsync/index.html
-- Mike
At 02:43 PM 7/29/2008, you wrote:
On Tue, 29 Jul 2008, Kai Schaetzl wrote:
I want to secure some remote rsyncs over ssh by using the command= option in .authorized_keys. As I understand I can use only the full command there, as it is not a list of "allowed commands" but the command that will be executed when logging in with this key. Now, I'm running several rsync commands on individual directories in the root, not just one command. I do that to pull different exclude lists in. I want to exclude nothing in some directories and a few different things in other directories. rsyncing per /rooted directory seems to be the cleanest and easiest way. All other combinations of complicated exclude/include lists may have unexpected results. I thought about putting the remote command in a shell script. However, I think this won't work as each rsync on the remote side will be executed with the first rsync command in the script on the local side. Is there a solution (besides using several keys or so)?
Kai
-- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
By 'secure some remote rsyncs' do you mean only allow rsync but not interactive login? If so perhaps this will meet your needs: http://troy.jdmz.net/rsync/index.html
Hello Kai,
I wanted to reply with a solution, but I did not quite understand the problem.. It certainly appears that you have the rsync and ssh skills/competency to do what you want.
Thanks, Glenn Parsons
Glenn wrote on Tue, 29 Jul 2008 15:17:08 -0400:
I wanted to reply with a solution, but I did not quite understand the problem.
The problem is that if you use a "forced command" in authorized_keys that is the only command that runs with this key. If you want to use a few more, even if they only differ in parameters, like rsync commands with different options, this won't work - so you're stuck with that one command or need a different solution. However, it's the only solution that you will find googling up and down the net. That one at troy.jdmz.net is different and looks promnising.
Kai
Mike wrote on Tue, 29 Jul 2008 11:43:09 -0700 (MST):
By 'secure some remote rsyncs' do you mean only allow rsync but not interactive login? If so perhaps this will meet your needs: http://troy.jdmz.net/rsync/index.html
This looks good. It uses a script on the remote side that checks the beginning of the command and thus avoids the limitation with adding a fixed rsync command in authorized_keys. Thanks!
Kai
-
Glenn -
Kai Schaetzl -
Mike