Sysadmining
More Secure Rsync Backup
goal: automate rsync using ssh key. don't allow other commands besides rsync
architecture: client sends to server using rsync and ssh key.
on client:
ssh-copy-id server@ip
on client: cmd will be:
rsync -ravPz -e "ssh -v" /somedir/files* me@ipaddress:~/backupfolder/2nddir
(recursive, verbose, partial, compress)
on server:
edit home/user/.ssh/authorized_keys prepend before the key e.g.
command="rsync --server -vlogDtprCz . /home/user/backupfolder/2nddir",no-pty,no-agent-forwarding,no-port-forwarding ssh-rsa AAAA...
then from client, run the command already mentioned in shell. afterwards, it can be scripted. to verify ssh can't be used for arbitrary stuff, try ssh -v me@ipaddress, it should time out. and do nothing. the verbose tells you where it stalls:
debug1: Remote: Forced command. debug1: Remote: PTY allocation disabled. debug1: Remote: Agent forwarding disabled. debug1: Remote: Port forwarding disabled. debug1: Remote: Forced command. debug1: Remote: PTY allocation disabled. debug1: Remote: Agent forwarding disabled. debug1: Remote: Port forwarding disabled. debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 PTY allocation request failed on channel 0
and it sits until timeout. omit verbose flags after testing.
Client pull from server
Exact same as above, except
"rsync --server -vlogDtprCz . /home/user/backupfolder/2nddir"
should be
"rsync --server --sender -vlogDtprCz /home/server/backupfolder/ ."
So add --sender, and swap the paths, so that the server path is listed.
references
http://web.archive.org/web/20200225215752/http://www.sakana.fr/blog/2008/05/07/securing-automated-rsync-over-ssh/ https://web.archive.org/web/20160518004920/http://serverfault.com/questions/343668/rsync-with-ssh-keygen-to-ssh-user-with-limited-commands-and-specifc-directory https://serverfault.com/questions/343668/rsync-with-ssh-keygen-to-ssh-user-with-limited-commands-and-specifc-directory
note: rrsync is confusing. too much for avg man to handle in 15 minutes of sysadminning
these guides did not help: https://web.archive.org/web/20201019213926/http://ramblings.narrabilis.com/using-rsync-with-ssh
https://stackoverflow.com/questions/21498667/how-to-limit-user-commands-in-linux only command seems too much for this solution (later answers). the amount of configuration listed by first answer (dodzi) is insane. lets play spot the bullshit.
http://web.archive.org/web/20200222224151/http://at.magma-soft.at/sw/blog/posts/The_Only_Way_For_SSH_Forced_Commands/ again, only is too much complexity for a 15 minute task. allowing one command via ssh authorized keys is faster.
is it 100% secure?
no. but it is more secure than just leaving keys with full permissions on a server.