2010-12-29 18:36

You have 2 systems and you want to set up a secure backup with rsync + SSH of one system to the other.

Very simply, you can use:

backup.example.com# rsync -avz --numeric-ids --delete root@myserver.example.com:/path/ /backup/myserver/

To do the backup, you have to be root on the remote server, because some files are only root readable.

Problem: you will allow backup.example.com to do anything on myserver.example.com, where just read only access on the directory is sufficient.

To solve it, you can use the command="" directive in the authorized_keys file to filter the command.

To find this command, start rsync adding the -e'ssh -v' option:

rsync -avz -e'ssh -v' --numeric-ids --delete root@myserver.example.com:/path/ /backup/myserver/ 2>&1 | grep "Sending command"

You get a result like:

debug1: Sending command: rsync --server --sender -vlogDtprze.iLsf --numeric-ids . /path/

Now, just add the command before the key in /root/.ssh/authorized_keys:

command="rsync --server --sender -vlogDtprze.iLsf --numeric-ids . /path/" ssh-rsa AAAAB3NzaC1in2EAAAABIwAAABio......

And for even more security, you can add an IP filter, and other options:

from="backup.example.com",command="rsync --server --sender -vlogDtprze.iLsf --numeric-ids . /path/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1in2EAAAABIwAAABio......

Now try to open a ssh shell on the remote server.. and try some unauthorized rsync commands…

Notes:

  • Beware that if you change rsync command options, change also the authorized_keys file.
  • No need for complex chroot anymore. Forget my previous article: sftp-chroot-rsync

See also:

  • man ssh #/AUTHORIZED_KEYS FILE FORMAT
  • man rsync
  • view /usr/share/doc/rsync/scripts/rrsync.gz (restricted rsync, allows you to manage allowed options precisely)
2010-12-29 18:36 · Tags: , ,

6 Comments

  1. my user is no login, how can I use this for that user?
    do I have to change my user setting on the server to be able to allow login?

    Reply

  2. Thanks for the above – it was just what I needed.

    (I didn’t know you could have a ‘from’ bit in authorized_keys).

    Reply

  3. Pingback: Allow only rsync and not ssh from remote server – Barchive

  4. I would not recommend this approach. If you do this, then use remote user can rsync over a new .ssh/authorized_keys that removes the restrictions and have full shell access as root using that key.

    Better to have the root user on the machine you want to backup, ssh as a non-root user to the machine you want the backups on and upload.

    Reply

  5. [Disclosure: I wrote sshdo which is described below]

    There’s a program for controlling which commands may be executed via incoming ssh. It’s called sshdo. It can be used to precisely control uses of rsync as well as other commands, all at the same time. It’s available for download at:

    http://raf.org/sshdo/ (read manual pages here)
    https://github.com/raforg/sshdo/

    It has a training mode to allow all commands that are attempted, and a –learn option to produce the configuration needed to allow learned commands permanently. Then training mode can be turned off and any other commands will not be executed.

    It also has an –unlearn option to stop allowing commands that are no longer in use so as to maintain strict least privilege as requirements change over time.

    It is very fussy about what it allows. It won’t allow a command with any arguments. Only complete shell commands can be allowed.

    But it does support simple patterns to represent similar commands that vary only in the digits that appear on the command line (e.g. sequence numbers or date/time stamps).

    It’s like a firewall or whitelisting control for ssh commands.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>