This is a discussion on Re: Forcing a transfer to be one-way from the daemon side? - Tools ; firstname.lastname@example.org wrote: > I'm trying to set up a secure way to back up a system as root, with rsync > (assume we don't want to kill the bandwidth and want a "snapshot" system > for developers in a way ...
> I'm trying to set up a secure way to back up a system as root, with rsync
> (assume we don't want to kill the bandwidth and want a "snapshot" system
> for developers in a way that makes dump, tar, etc impractical.
> We've got an ssh key relationship set up and we can force the command to
> be rsync --daemon.
I set up a similar system, except that I used an ssh agent rather than a
simple key relationship. I hope this diagram makes sense:
\ \-> authorized_keys includes server_id_dsa.pub
\ \-> server_id_dsa attached
\--> ssh to client machine
/ \-> authorized_keys includes server_id_dsa.pub,
rsync to server <-/ which only runs rsync script
This way, the client machine can only rsync back data when the ssh agent
is present, because the server only allows in connections for its *own*
key, not any key that is stored on the client filesystem.
If you want to make this somewhat more secure, set it up in such a way
that the client machine cannot write to the rsync script-- in our case,
the client machines access the rsync script from a read-only nfs partition.
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html