I want to use unison to sync the /home directories between two EL6 boxes.
Most writeups assume that unison is run as root, and can ssh between the two boxes as root. However, we have disabled root logins in both /etc/passwd, as well as /etc/login.block. Connecting via ssh as root is disabled in sshd_config.
Is there a common and/or established method to unison sync something like /home without requiring root login?
One thought I had is to
- set up a uid:gid unison:unison on both boxes
- configure an ssh keypair for uid unison.
- set up unison/.ssh/authorized_keys so that only unison can be run from remote
- set up an acl on /home setfacl -R -m d:g:unison:rwx,g:unison:rwx /home
- set up the cronjob so it runs as uid 'unison'.
but I'm hoping that there's a better, more generally accepted way
Thanks!
Best Answer
What I usually do is to create role accounts.
unison
~unison/.ssh/authorized/keys
with a restricting pattern like `force-command="/usr/local/bin/unison-homesync.sh"/usr/local/bin/unison-homesync.sh
Pros:
Cons:
The approach does not scale well when done manually. If some configuration management is in place it is not a problem.