Securing rsync on ssh
Reference: positon.org
You have 2 systems and you want to set up a secure backup with rsync + SSH of one system to the other.
Very simply, you can use:
backup.example.com# rsync -avz --numeric-ids --delete [email protected]:/path/ /backup/myserver/To do the backup, you have to be root on the remote server, because some files are only root readable.
Problem: you will allow backup.example.com to do anything on myserver.example.com, where just read only access on the directory is sufficient.
To solve it, you can use the command="" directive in the authorized_keys file to filter the command.
To find this command, start rsync adding the -e'ssh -v' option:
rsync -avz -e'ssh -v' --numeric-ids --delete [email protected]:/path/ /backup/myserver/ 2>&1 | grep "Sending command"You get a result like:
debug1: Sending command: rsync --server --sender -vlogDtprze.iLsf --numeric-ids . /path/Now, just add the command before the key in /root/.ssh/authorized_keys:
command="rsync --server --sender -vlogDtprze.iLsf --numeric-ids . /path/" ssh-rsa AAAAB3NzaC1in2EAAAABIwAAABio......And for even more security, you can add an IP filter, and other options:
from="backup.example.com",command="rsync --server --sender -vlogDtprze.iLsf --numeric-ids . /path/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1in2EAAAABIwAAABio......Now try to open a ssh shell on the remote server.. and try some unauthorized rsync commands... Notes:
- Beware that if you change rsync command options, change also the authorized_keys file.
- No need for complex chroot anymore.
See also:
- man ssh #/AUTHORIZED_KEYS FILE FORMAT
- man rsync
- view /usr/share/doc/rsync/scripts/rrsync.gz (restricted rsync, allows you to manage allowed options precisely)