Ssh – Can’t get rsync to work in daemon-over-ssh mode

rsyncssh

I'm trying to set up rsync to copy the data from a server every day. In order to make the system as restricted as possible, I'm trying to use the mode described in the man page as:
"USING RSYNC-DAEMON FEATURES VIA A REMOTE-SHELL CONNECTION"

So I've put a file called rsyncd.conf in roots home folder:

[root]
path = /
read only = true

and tried to copy /etc/passwd over as a test:

rsync -vv -e ssh myserver::root/etc/passwd .

But I get the following:

opening connection using: ssh myserver rsync --server --daemon . 
rsync: connection unexpectedly closed (0 bytes received so far) [receiver]
rsync error: error in rsync protocol data stream (code 12) at io.c(635) [receiver=3.0.3]

The reason I am doing all this is that once I get it working, I plan to restrict access by specifying the command

rsync --server --daemon .

in ~/.ssh/authorized_keys

Best Answer

There seems to be a bug in the documentation or the implimentation of rsync. man rsync says:

Rsync supports connecting to a host using a remote shell and then spawning a single-use “daemon” server that expects to read its config file in the home dir of the remote user.

but when connecting to root, according to /var/log/messages, it was looking in /etc/rsyncd.conf for the config file (the standard location for an rsyncd.conf file when not used over SSH.

I had to force the ssh server to use the right config file by adding

command="rsync --config=/root/rsyncd.conf --server --daemon ."

to /root/.ssh/authorized_keys.

The reason I didn't just put the config in the default location is that I didn't want someone to accidentally start a normal rsync daemon - I only want a daemon to have this much access when it has got the correct ssh key.

Related Solutions

Ssh – Is it possible to use rsync over sftp (without an ssh shell)

Unfortunately not directly. rsync requires a clean link with a shell that will allow it to start the remote copy of rsync, when run this way.

If you have some way of running long-lived listening processes on the host you could try starting rsync manually listening for connections on a non-privileged port, but most techniques for doing that would require proper shell access via SSH too, and it relies on the hosts firewall arrangements letting connections in on the port you chose (and the host having rsync installed in the first place). Running rsync as a publicly addressable service (rather than indirectly via SSH or similar) is not generally recommended for non-public data though.

If you host allows scripting in PHP or similar and does not have it locked down so extra processes can not be execed by user scripts, then you could try starting rsync in listening mode that way. If your end is connectible (you are running SSH accessible to the outside world) you could try this in reverse - have a script run rsync on the server but instead of listening for incoming connections have it contact your local service and sync that way. This still relies on rsync actually being installed on the host which is not a given, or that you can upload a working copy, but does not have the security implications of running an rsync daemon in a publicly addressable fashion and talking to it over an unencrypted channel.

Messing around as described above may be against the hosts policies though, even if it works at all, and could get you kicked off. You are better off asking if a full shell can be enabled for that account and either abandoning rsync for that host or abandoning that host and moving elsewhere if they will not do that.

Ssh – rsync connection closing right around an hour

Idle network connection during rsync transfert:

Yes, rsync could stay quiet during disk read and while they have no packet to send...

You said. our firewall is configured to close idle connections that have opened for more than an hour but nothing about the continuous idle duration.

rsync process on both ends, reading whole files to search for difference between packets, based on checksums previously computed.

While there are no difference between files on both ends, they may be no exchange between both ends until differences are found.

There is a little graphic representing a single rsync run between my desktop and his backup:

Trace rsync network traffic

In which we may see some seconds elapsed without datas:

TIME                     BLOCKS           BYTES
                        IN  OUT      IN     OUT
...
Jul 28 15:00:07 2013   449   41   23443 1526403
Jul 28 15:00:08 2013     0    0       0       0
Jul 28 15:00:09 2013     0    0       0       0
Jul 28 15:00:10 2013   143  182   21348 1123986
Jul 28 15:00:11 2013   112  142    6966  523326
Jul 28 15:00:12 2013    31   30    1942    1890
Jul 28 15:00:13 2013    30   28    1853   88038
Jul 28 15:00:14 2013     0    0       0       0
Jul 28 15:00:15 2013    57   66    3954   38301
...

Workaround:

As a workaround, you may use socket based ssh sharing:

First run a plain ssh for hanging socket and connection

ssh -M -o ControlPath=$HOME/.ssh/socket_test destHost ping -n localhost

Than in another window:

rsync -e 'ssh -e none -S $HOME/.ssh/socket_test' /src/file destHost:/dst/file

In this way, only one connection will be used for both ssh sessions. The ping will ensure (a lot of) continuous traffic, than rsync could work quietely, using same network connection.