Bash – Trying to script rsync using pam_exec

bashpamrsync

I'm trying to write a bash script that will execute rsync when called by pam_exec. I've tried a couple different ways, and I'm not sure what I'm doing wrong.
When I try to run the script at login by adding

session     optional      pam_exec.so /usr/bin/local/sync.sh

to my sshd file, it gives me an exit code of 12.

If I log in and then manually run my script, it allows me to connect to the remote server, and it lists my files, but it doesn't actually sync anything.

I have tried the code below using buth $USER and $PAM_USER. $PAM_USER doesn't work at all.

#!/bin/sh 
rsync -azv -e ssh $USER@remote_server:/home/html/$USER/ /home/html/$USER

Best Answer

The man page for pam_exec explains that the module provides $PAM_USER, not $USER:

the following PAM items are exported as environment variables: PAM_RHOST, PAM_RUSER, PAM_SERVICE, PAM_TTY, PAM_USER and PAM_TYPE [...]

On my Debian based system I added this line just before the entry for pam_motd

# Run a script on login
session    optional     pam_exec.so /usr/local/etc/pam_exec.sh

I then created the test script, remembering to make it executable:

cat >/usr/local/etc/pam_exec.sh <<'EOF'; chmod a+rx /usr/local/etc/pam_exec.sh
#!/bin/bash
#
test open_session = "$PAM_TYPE" && {
    echo
    date
    echo "PAM_USER=$PAM_USER, USER=$USER."

} >>/tmp/pam_exec.log

exit 0
EOF

Finally, I opened a new login session to my test system, and saw that on session start I received information such as this in my log file /tmp/pam_exec.log:

Mon Nov  9 23:32:52 GMT 2015
PAM_USER=roaima, USER=.

To implement your requirement you would need to use a script something like this:

#!/bin/sh
rsync -azq -e ssh "$PAM_USER"@remote_server:/home/html/"$PAM_USER"/ /home/html/"$PAM_USER" >/dev/null 2>&1

Notice that all output from rsync is discarded. This is necessary to ensure that client/server applications using ssh as a transport do not get hit by unexpected output before they can start their negotiation. If you really want to present it to the user, I would recommend you write it to a user-specific log file such as "$HOME/.pam_exec.log" and then use a line like this in the user's .profile to output it after the login process has completed:

if test -t 1 -a -s "$HOME/.pam_exec.log"
then
    echo "Prelogin results"
    sed 's/^/| /' "$HOME/.pam_exec.log"
fi

It's not immune to a race condition, but IME most users don't login simultaneously multiple times to the same server. If you find this scenario is common there are ways to deal with it.

Related Solutions

Windows – Using rsync from msysgit for binary files

As of now (9/7/2017) it is extremely easy to manually add rsync support to the Git for Windows environment without even having to resort to running the Git for Windows SDK.

I stumbled across this post and didn't think it could really be that easy given all the alternatives, but it really is. All you need to do is grab the rsync package from the MSYS2 Package repository and extract the rsync.exe file into C:\Program Files\Git\usr\bin. One and done. It works.

If you need help extracting rsync.exe from the rsync package (which is in tar.xz format), you can either use a compression utility like 7zip or do it directly within the Git for Windows bash environment like so:

cd /c/downloaded_location
tar -xvf rsync.pkg.tar.xz usr/bin/rsync.exe --strip-components=2

This gives you the rsync.exe file in the downloaded location (adjust the package name accordingly). In light of Windows permissions issues I won't try to give specific commands on getting the exe into the C:\Program Files\Git\usr\bin folder. You can copy it via an explorer GUI or via an elevated command line utility (and yes, it will require admin level permissions to copy something into the Program Files folders).

If you want to also use Pageant authentication with rsync over ssh, the ssh-pageant binary is already installed in Git for Windows and all you need to do is add a small bit to your ~/.bashrc or ~/.bash_profile file (see ssh-pageant usage section and Git for Windows wiki). I've modified it specifically for use with the Git for Windows environment and enhanced it with some detection for a missing socket file:

# ssh-pageant allows use of the PuTTY authentication agent (Pageant)
SSH_PAGEANT="$(command -v ssh-pageant)"
if [ -S "$SSH_AUTH_SOCK" ]; then
  PAGEANT_SOCK=$SSH_AUTH_SOCK
else
  PAGEANT_SOCK=${TEMP:-/tmp}/.ssh-pageant-$USERNAME
fi
if [ -x "$SSH_PAGEANT" ]; then
  eval $("$SSH_PAGEANT" -qra "$PAGEANT_SOCK")
fi
unset SSH_PAGEANT
unset PAGEANT_SOCK

I can't speak to how other utilities might or might not work by manually installing them this way, but rsync appears to work just fine. Hopefully that repo will stay and continue to be updated--I'd think so because it's hosted at the official MSYS2 site.

SSH Rsync – ForceCommand Error: Connection Unexpectedly Closed

The why is easy... ForceCommand does exactly what it says: You connect, it forces you to run that command no matter what you actually wanted to do. In this case, that command is /usr/bin/rsync with no flags.

rsync works by running another copy of rsync on the other side of the connection and talking to it over ssh. In this case though, it's unable to start the other side with the flags it needs because the command is replaced by /usr/bin/rsync

Your rsync-validate script is probably the best way to go about this. It checks the request to make sure it is a valid rsync server command, and only then does it run it. rsync probably could be modified to check the $SSH_ORIGINAL_COMMAND directly when its run without arguments, but there's probably a good security reason not to do so.

Best Answer

Related Solutions

Windows – Using rsync from msysgit for binary files

SSH Rsync – ForceCommand Error: Connection Unexpectedly Closed

Related Topic