On 08/17/11 13:35, Grant wrote: >>> Is there a way to >>> restrict SSH keys to the rsync command? >> >> Yes, via the "authorized_keys" file. you can add a "command" directive. this >> will always force that command to be executed whenever a connection is made >> using this key. > > I'm using the command directive with rdiff-backup like > command="rdiff-backup --server" but I can't figure out the rsync > command to specify. Is anyone restricting an SSK key to rsync with > the command directive? >
We're doing the same thing for our backups. Here's that chunk of our documentation, if it's helpful. === rdiff-backup Client === ==== Creating the Remote User ==== First, create a new system user on the backup server. Log in (as root), and run, useradd -d /home/<username> -m <username> The ''-d'' parameter sets the home directory, and ''-m'' creates it automatically. The rdiff-backup program uses SSH to synchronize the local and remote filesystems. As a result, non-interactive operation requires a server/client certificate pair. Furthermore, we cannot prevent shell logins for our new user account. Give it a reasonably-complex password. You'll only need to type it twice: passwd <username> ==== Installing rdiff-backup ==== First things first; install rdiff-backup on the client. In Gentoo, all this requires is the following, emerge rdiff-backup If that works, go ahead and continue. ==== Setting up SSH Authentication ==== For now, we're done on the backup server. Log in to the client server (the one to be backed up) as root. We need to generate an SSH key pair: ssh-keygen Name the file something informative when asked. '''Do not create a password for the key file.''' For example, your private key for <backup_server> might be named ~/.ssh/<backup_server>_rsa. Now, copy the public key, e.g. ~/.ssh/<backup_server>_rsa.pub to the backup server using the user that we created earlier. scp ~/.ssh/<public_key_file> <remote_user>@<backup_server>:~/ And add a section to the local ~/.ssh/config file which corresponds to the backup server. This forces the local machine to authenticate to the backup server using its key rather than a password. <pre> Host <backup_server_hostname> Hostname <backup_server_hostname> IdentityFile ~/.ssh/<private_key_file> IdentitiesOnly yes </pre> Now, ssh into the backup server as your new user. Our goal is to add this key as "trusted," allowing anyone with the corresponding key to connect as this user. On the backup server (as our new user), execute, cat <public_key_file> >> ~/.ssh/authorized_keys rm <public_key_file> and add the following to the authorized_keys file manually. Add it at the beginning of the line for the new public key. command="/usr/bin/rdiff-backup --server",no-pty,no-port-forwarding This will restrict the user with this public key to executing only the rdiff-server command.
