How should ForceCommand be configured in order to allow the backup user to execute any rsync command? With ForceCommand set to /usr/bin/rsync I receive the error below: connection unexpectedly closed…
/etc/ssh/sshd_config on remote server hosting the files to be copied from:
Match User backup
PasswordAuthentication no
PubkeyAuthentication yes
AllowTCPForwarding no
X11Forwarding no
ForceCommand /usr/bin/rsync
rsync command running on the local server doing the copying from the remote server:
rsync -avzh --progress backup@hostname.domain:/opt/backups/automatic/cron/mysql/ /tmp/.
rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]
rsync error: error in rsync protocol data stream (code 12) at io.c(601) [Receiver=3.0.7]
If I configure ForceCommand to the exact rsync command such as the one below I am able to remotely rsync successfully as the backup user but for this project I don't want to have to use the full exact command as below:
ForceCommand /usr/bin/rsync --server --sender -vlwkDonecf.iLew . /opt/backups/automatic/cron/mysql/
If I configure ForceCommand to use a script such as the one below I am able to remotely rsync successfully. I'm curious why this works and /usr/bin/rsync doesn't?
Match User backup
PasswordAuthentication no
PubkeyAuthentication yes
AllowTCPForwarding no
X11Forwarding no
ForceCommand /home/backup/cron/validate-rsync
The validate-rsync script:
#!/bin/sh
#script to validate rsync
#script source: http://troy.jdmz.net/rsync/#validate-rsync
case "$SSH_ORIGINAL_COMMAND" in
*\&*)
echo "Rejected"
;;
*\(*)
echo "Rejected"
;;
*\{*)
echo "Rejected"
;;
*\;*)
echo "Rejected"
;;
*\<*)
echo "Rejected"
;;
*\`*)
echo "Rejected"
;;
*\|*)
echo "Rejected"
;;
rsync\ --server*)
$SSH_ORIGINAL_COMMAND
;;
*)
echo "Rejected"
;;
esac
My primary question is why doesn't ForceCommand /usr/bin/rsync work?
I'm also curious about the best way(s) to do this. I can't chroot the backup user because I'm copying from several different folders. I don't really want to have to use the full exact rsync –server –client etc. command because I'm copying several different folders and that seems excessive. I'm curious about the simplest/best way(s) to restrict the backup user to rsync.
Best Answer
The why is easy...
ForceCommand
does exactly what it says: You connect, it forces you to run that command no matter what you actually wanted to do. In this case, that command is/usr/bin/rsync
with no flags.rsync
works by running another copy ofrsync
on the other side of the connection and talking to it over ssh. In this case though, it's unable to start the other side with the flags it needs because the command is replaced by/usr/bin/rsync
Your rsync-validate script is probably the best way to go about this. It checks the request to make sure it is a valid rsync server command, and only then does it run it.
rsync
probably could be modified to check the $SSH_ORIGINAL_COMMAND directly when its run without arguments, but there's probably a good security reason not to do so.