Ssh public key restriction to rsync command

From Bitbull Wiki
Revision as of 19:16, 25 June 2013 by Chris (talk | contribs) (→‎modify authorized_keys on destination host)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

1 what we needed

we needed to collect all files within a specific dir, weekly and from 150 hosts.
of course, this should be done with public keys and has to be restricted to the necessary minimum of ssh privilegues.

example comand
rsync -a dst-user@dst-host:/var/log/data/* /opt/data/dst-host/

2 how to test and install

2.1 create and install public key

[src-user@src-host ~]$ ssh-keygen -t dsa
[src-user@src-host ~]$ scp .ssh/id_dsa.pub dst-user@dst-host:
[src-user@src-host ~]$ ssh dst-user@dst-host 'cat id_dsa.pub >> .ssh/authorized_keys'
[src-user@src-host ~]$ ssh dst-user@dst-host 'chmod 600 .ssh/authorized_keys'

2.2 get infos how to restrict authorized_keys

[src-user@src-host ~]$ (rsync -a -e 'ssh -v -v -v' dst-user@dst-host:/var/log/data/* /opt/data/dst-host/ )2>&1 | grep rsync
debug1: Sending command: rsync --server --sender -logDtpr . /var/log/data/*

2.3 modify authorized_keys on destination host

vi .ssh/authorized_keys
---
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,from="src-host.domain.com",command="rsync --server --sender -logDtpr . /var/log/data/*" ssh-dss AAAAB3.....ZNA== src-user@src-host.domain.com
---
note

now you should be able to transfer /var/log/data/* from any host who has a authorized_key file like above.
but you are not able to transfer any other dir, either to login on dst-host by ssh

LINKS
http://onlamp.com/pub/a/onlamp/excerpt/ssh_8/
Retrieved from "http://www.bitbull.ch/wiki/index.php?title=Ssh_public_key_restriction_to_rsync_command&oldid=2927"