http://steakwiki.com/index.php?action=history&feed=atom&title=RsyncRsync - Revision history2026-05-07T19:52:29ZRevision history for this page on the wikiMediaWiki 1.35.1http://steakwiki.com/index.php?title=Rsync&diff=2363&oldid=prevViciousCarnivore: Created page with "<small> ==More Secure Rsync Backup== goal: automate rsync using ssh key. don't allow other commands besides rsync architecture: client sends to server using rsync and ssh key..."2025-10-24T22:29:40Z<p>Created page with "<small> ==More Secure Rsync Backup== goal: automate rsync using ssh key. don't allow other commands besides rsync architecture: client sends to server using rsync and ssh key..."</p>
<p><b>New page</b></p><div><small><br />
==More Secure Rsync Backup==<br />
goal: automate rsync using ssh key. don't allow other commands besides rsync<br />
<br />
architecture: client sends to server using rsync and ssh key. <br />
<br />
===on client:===<br />
ssh-copy-id server@ip<br />
<br />
on client:<br />
cmd will be:<br />
rsync -ravPz -e "ssh -v" /somedir/files* me@ipaddress:~/backupfolder/2nddir<br />
(recursive, verbose, partial, compress)<br />
<br />
===on server:===<br />
edit home/user/.ssh/authorized_keys<br />
prepend before the key<br />
e.g.<br />
command="rsync --server -vlogDtprCz . /home/user/backupfolder/2nddir",no-pty,no-agent-forwarding,no-port-forwarding ssh-rsa AAAA...<br />
<br />
<br />
then from client, run the command already mentioned in shell. afterwards, it can be scripted. to verify ssh can't be used for arbitrary stuff, try ssh -v me@ipaddress, it should time out. and do nothing. the verbose tells you where it stalls:<br />
<pre><br />
debug1: Remote: Forced command.<br />
debug1: Remote: PTY allocation disabled.<br />
debug1: Remote: Agent forwarding disabled.<br />
debug1: Remote: Port forwarding disabled.<br />
debug1: Remote: Forced command.<br />
debug1: Remote: PTY allocation disabled.<br />
debug1: Remote: Agent forwarding disabled.<br />
debug1: Remote: Port forwarding disabled.<br />
debug1: Sending environment.<br />
debug1: Sending env LANG = en_US.UTF-8<br />
PTY allocation request failed on channel 0</pre><br />
<br />
and it sits until timeout. omit verbose flags after testing.<br />
<br />
====Client pull from server====<br />
Exact same as above, except <br />
"rsync --server -vlogDtprCz . /home/user/backupfolder/2nddir"<br />
should be<br />
"rsync --server --sender -vlogDtprCz /home/server/backupfolder/ ."<br />
So add --sender, and swap the paths, so that the server path is listed.<br />
<br />
===references===<br />
http://web.archive.org/web/20200225215752/http://www.sakana.fr/blog/2008/05/07/securing-automated-rsync-over-ssh/<br />
https://web.archive.org/web/20160518004920/http://serverfault.com/questions/343668/rsync-with-ssh-keygen-to-ssh-user-with-limited-commands-and-specifc-directory<br />
https://serverfault.com/questions/343668/rsync-with-ssh-keygen-to-ssh-user-with-limited-commands-and-specifc-directory<br />
<br />
note: rrsync is confusing. too much for avg man to handle in 15 minutes of sysadminning<br />
<br />
these guides did not help:<br />
https://web.archive.org/web/20201019213926/http://ramblings.narrabilis.com/using-rsync-with-ssh<br />
<br />
https://stackoverflow.com/questions/21498667/how-to-limit-user-commands-in-linux<br />
only command seems too much for this solution (later answers).<br />
the amount of configuration listed by first answer (dodzi) is insane. lets play spot the bullshit.<br />
<br />
http://web.archive.org/web/20200222224151/http://at.magma-soft.at/sw/blog/posts/The_Only_Way_For_SSH_Forced_Commands/<br />
again, only is too much complexity for a 15 minute task. allowing one command via ssh authorized keys is faster.<br />
<br />
===is it 100% secure?===<br />
no. but it is more secure than just leaving keys with full permissions on a server.<br />
</small></div>ViciousCarnivore