[CentOS] Rsync, SSH and authorized_keys problem

Tue Jun 16 21:08:00 UTC 2009
nate <centos at linuxpowered.net>

Stewart Williams wrote:
> Hi,
>
> I'm trying to backup from one machine to the other (automatically via
> cron) using rsync and ssh password-less public key authentication.
>
> I having been trying to set this up following an article in a Linux
> magazine[1] by only allowing the specific rsync command to run on the
> remote box.
>
> I am using the following rsync command:
>
> $ rsync -avz -e "ssh -i ~/.ssh/backup-key" /backup
> stewart at name.of.remote.server:/backup
>
> This runs, connects using keys asking for no password and completes
> successfully until I add the above command to my authorized_keys file on
> the remote box:
>
> command="rsync -avz -e "ssh -i ~/.ssh/backup-key" /backup
> stewart at name.of.remote.server:/backup" ssh-dss ... key ...

I think your issue is the command your specifying is only what
is run on the client end, not on the server end. the server
runs rsync-server, e.g. from one of my rsync servers:
logrsync  5244  0.0  0.0   2152   256 ?        S    14:03   0:00 rsync
--server -vltpre.is --timeout=600 .
/nfs/exnas/root/pixelserverlogs/transferlogs/pd3-bgas09//

the command I executed on the client is much, much bigger.

rsync -rlptve /usr/bin/hpnssh -v -o TcpRcvBufPoll=yes -o NoneEnabled=yes -o
NoneSwitch=yes --timeout=600  --files-from=/home
/logrsync/jobs/rsync_list_00 --log-format="[%p] %t %o %f (%l/%b)"
/var/xrt/pickup logrsync at pd3-dc01rsync-vip.pod.xxx.net:
/nfs/exnas/root/pixelserverlogs/PD3-BGAS09//
>>/home/logrsync/logs/rsync_worker_00_20090616_153501.log 2>&1

There may be other commands that are executed as well  as part of
the file sync process other than rsync-server.

I suggest if your really paranoid about only allowing file transfers
then use the rsync protocol itself. You can encrypt it via a VPN
or a ssl tunneling app like stunnel if you want.

For me I am happy with just locking the system down so only ssh
keys are allowed to login. don't feel the need to try to lock down
what keys a particular app can use. And even if I did it wouldn't
work since there are about 120 systems that share the same private
key to upload and download data to different locations(couple TB
of data transferred per day).

nate