How can I restrict incoming root rsync over ssh to specified command?
I'm trying to setup a centralized backup server on RHEL 3.0, which
will use rsync over ssh to pull certain directories from the ssh
to the ssh client/rsync destination. Here's an example of the command,
script run via cron as root:
rsync --rsh="ssh -i /root/.ssh/rsync-id_rsa" \
-avR --stats --delete --max-delete=100 \
$HOST would be static but $CURR_DIR would vary on each call - it
contains a path containing the date and time, such as:
for a backup run on Feb 4, 2004 at 6pm.
I've setup a non-password protected private key as noted above to
non-interactive complete access to all files I want to backup. I'm
using "PermitRootLogin without-password" in sshd_config and the
from="myclient", no-port-forwarding, no-X11-forwarding,
no-pty options in authorized_keys to restrict how this key can be
this method would allow anyone who managed to obtain the private key
password protected root access to all servers which are being backed
this approach - hopfully without a terminal, but I don't know what
there are in this technique.
I was hoping to use the command="command" option, but from the
in the man pages it seems like this wouldn't work, since it seems like
command must be static, any command I send is ignored, and I'm not
which command I'd run on the other end to implement the rsync
want to do in any case.
I did think potentially the remote command could use environment
which I could set remotely via "PermitUserEnvironment yes" in
hopefully thereby allowing the remote command to be static, but I
how this would work with rsync using ssh as an underlying transport.
1. Does anyone think that the technique I'm using today is simply too
insecure? Even with the server locked up in a room with no user
access and running no daemons?
2. Is there a way to implement what I'm trying to do with rsync using
some variant of the command="" option to prevent any other use of
this non-password protected key?
Thanks in advance!
P.S. Please, no spam even though I'm posting through Google and can't
my email address!