Ssh public key restriction to rsync command
Jump to navigation
Jump to search
Contents
1 what we needed
we needed to collect all files within a specific dir, weekly and from 150 hosts.
of course, this should be done with public keys and has to be restricted to the necessary minimum of ssh privilegues.
- example comand
rsync -a dst-user@dst-host:/var/log/data/* /opt/data/dst-host/
2 how to test and install
2.1 create and install public key
[src-user@src-host ~]$ ssh-keygen -t dsa [src-user@src-host ~]$ scp .ssh/id_dsa.pub dst-user@dst-host: [src-user@src-host ~]$ ssh dst-user@dst-host 'cat id_dsa.pub >> .ssh/authorized_keys' [src-user@src-host ~]$ ssh dst-user@dst-host 'chmod 600 .ssh/authorized_keys'
2.2 get infos how to restrict authorized_keys
[src-user@src-host ~]$ (rsync -a -e 'ssh -v -v -v' dst-user@dst-host:/var/log/data/* /opt/data/dst-host/ )2>&1 | grep rsync debug1: Sending command: rsync --server --sender -logDtpr . /var/log/data/*
2.3 modify authorized_keys on destination host
vi .ssh/authorized_keys --- no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,from="src-host.domain.com",command="rsync --server --sender -logDtpr . /var/log/data/*" ssh-dss AAAAB3.....ZNA== src-user@src-host.domain.com ---
- note
now you should be able to transfer /var/log/data/* from any host who has a authorized_key file like above.
but you are not able to transfer any other dir, either to login on dst-host by ssh
