I have 2 servers (A
& B
), and I need to rsync files from A
to B
as root. Allowing root ssh login is possible (PermitRootLogin without-password
), but I'd like to lock it down as much as possible. I'm using ssh keys, and (on B
) the root ssh key (in /root/.ssh/authorized_keys
) is limited to A
's IP address (from="x.x.x.x ..."
).
But how can I lock (this ssh key) down more? Is it possible to restrict that ssh key to only allow rsync/file transfer (and preferably limited to a certain directory)?
Researching this points me to ancient web pages that mention scponly
shell, or rrsync
script from rsync, or rssh
from OpenSSH. But how can I set them up for just that key, without making my entire root account be rssh
😉?
Best Answer
rrsync
is designed to be used as a forced command for a particular key, so it should be exactly what you want.A forced command is set up using the
command
option for a key in an authorized keys file and is then always run whenever this key is used for authentication, no matter what command the client requested. But it has access to the requested command so it can for example implement a validated, restricted version of it and that's whatrrsync
does.You use it like this:
Access for this key is limited to rsync to the
/allowed/directory/
only. The-wo
(write only) option means thatrsync
will be only allowed to send to the remote machine,-ro
would only allow reading from the remote system, giving no option would allow transfer in both directions.On the local side when you give arguments to
rsync
you must give the remote path relative to the allowed directory, so onA
you would do eg.rsync -options /local/path root@B:
and notrsync -options /local/path root@B:/allowed/directory/
.See also this answer to a different but related question.