[CentOS] Rsync, SSH and authorized_keys problem

Stewart Williams lists at pinkyboots.co.uk
Tue Jun 16 22:04:17 UTC 2009

nate wrote:
> Stewart Williams wrote:
>> Hi,
>> I'm trying to backup from one machine to the other (automatically via
>> cron) using rsync and ssh password-less public key authentication.
>> I having been trying to set this up following an article in a Linux
>> magazine[1] by only allowing the specific rsync command to run on the
>> remote box.
>> I am using the following rsync command:
>> $ rsync -avz -e "ssh -i ~/.ssh/backup-key" /backup
>> stewart at name.of.remote.server:/backup
>> This runs, connects using keys asking for no password and completes
>> successfully until I add the above command to my authorized_keys file on
>> the remote box:
>> command="rsync -avz -e "ssh -i ~/.ssh/backup-key" /backup
>> stewart at name.of.remote.server:/backup" ssh-dss ... key ...
> I think your issue is the command your specifying is only what
> is run on the client end, not on the server end. the server
> runs rsync-server, e.g. from one of my rsync servers:
> logrsync  5244  0.0  0.0   2152   256 ?        S    14:03   0:00 rsync
> --server -vltpre.is --timeout=600 .
> /nfs/exnas/root/pixelserverlogs/transferlogs/pd3-bgas09//
> the command I executed on the client is much, much bigger.
> rsync -rlptve /usr/bin/hpnssh -v -o TcpRcvBufPoll=yes -o NoneEnabled=yes -o
> NoneSwitch=yes --timeout=600  --files-from=/home
> /logrsync/jobs/rsync_list_00 --log-format="[%p] %t %o %f (%l/%b)"
> /var/xrt/pickup logrsync at pd3-dc01rsync-vip.pod.xxx.net:
> /nfs/exnas/root/pixelserverlogs/PD3-BGAS09//
>>> /home/logrsync/logs/rsync_worker_00_20090616_153501.log 2>&1
> There may be other commands that are executed as well  as part of
> the file sync process other than rsync-server.
> I suggest if your really paranoid about only allowing file transfers
> then use the rsync protocol itself. You can encrypt it via a VPN
> or a ssl tunneling app like stunnel if you want.
> For me I am happy with just locking the system down so only ssh
> keys are allowed to login. don't feel the need to try to lock down
> what keys a particular app can use. And even if I did it wouldn't
> work since there are about 120 systems that share the same private
> key to upload and download data to different locations(couple TB
> of data transferred per day).
> nate
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

I am the only user with shell access to these systems and they are on a
private network, so maybe I am going a bit OTT. :)

More information about the CentOS mailing list