nate wrote: > Stewart Williams wrote: >> Hi, >> >> I'm trying to backup from one machine to the other (automatically via >> cron) using rsync and ssh password-less public key authentication. >> >> I having been trying to set this up following an article in a Linux >> magazine[1] by only allowing the specific rsync command to run on the >> remote box. >> >> I am using the following rsync command: >> >> $ rsync -avz -e "ssh -i ~/.ssh/backup-key" /backup >> stewart at name.of.remote.server:/backup >> >> This runs, connects using keys asking for no password and completes >> successfully until I add the above command to my authorized_keys file on >> the remote box: >> >> command="rsync -avz -e "ssh -i ~/.ssh/backup-key" /backup >> stewart at name.of.remote.server:/backup" ssh-dss ... key ... > > I think your issue is the command your specifying is only what > is run on the client end, not on the server end. the server > runs rsync-server, e.g. from one of my rsync servers: > logrsync 5244 0.0 0.0 2152 256 ? S 14:03 0:00 rsync > --server -vltpre.is --timeout=600 . > /nfs/exnas/root/pixelserverlogs/transferlogs/pd3-bgas09// > > the command I executed on the client is much, much bigger. > > rsync -rlptve /usr/bin/hpnssh -v -o TcpRcvBufPoll=yes -o NoneEnabled=yes -o > NoneSwitch=yes --timeout=600 --files-from=/home > /logrsync/jobs/rsync_list_00 --log-format="[%p] %t %o %f (%l/%b)" > /var/xrt/pickup logrsync at pd3-dc01rsync-vip.pod.xxx.net: > /nfs/exnas/root/pixelserverlogs/PD3-BGAS09// >>> /home/logrsync/logs/rsync_worker_00_20090616_153501.log 2>&1 > > There may be other commands that are executed as well as part of > the file sync process other than rsync-server. > > I suggest if your really paranoid about only allowing file transfers > then use the rsync protocol itself. You can encrypt it via a VPN > or a ssl tunneling app like stunnel if you want. > > For me I am happy with just locking the system down so only ssh > keys are allowed to login. don't feel the need to try to lock down > what keys a particular app can use. And even if I did it wouldn't > work since there are about 120 systems that share the same private > key to upload and download data to different locations(couple TB > of data transferred per day). > > nate > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > I am the only user with shell access to these systems and they are on a private network, so maybe I am going a bit OTT. :)