Re: rsync support in authprogs - feedback requested

2021-02-18 Thread Nick Cleaton via rsync 
On Thu, 18 Feb 2021, 15:28 Karl O. Pinc via rsync, 
wrote:

>
> For some 15 years+ (?) I've had a /root/.ssh/authorized keys line
> that starts with:
>
> "no-pty,no-agent-forwarding,no-port-forwarding,no-user-rc,no-X11-forwarding,command="rsync
> --server --daemon ."
>
> Occasionally I frob the ssh restrictions as new ones are introduced.
>

Recent openssh has the "restrict" key option for that, which would allow
you to retire the frobinator
-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Re: rsync support in authprogs - feedback requested

2021-02-18 Thread Paul Slootman via rsync 
On Thu 18 Feb 2021, Bri Hatch via rsync wrote:
> 
> We use authprogs for more than just rsync though, and want more granularity
> than rrsync can support. If you force rrsync for the ssh key via
> command="rrsync" then that key may only be used to run rsync, you can't
> also allow additional commands. From a CI/CD perspective it may be useful
> to have the client side rsync some files, restart some services, and not
> need to use separate keys for each.

I use post-xfer scripts defined in rsyncd.conf to do useful things after
transferring files. That works well.

But I do see that there could be a use for rsync support in authprogs.


Paul

-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Re: rsync support in authprogs - feedback requested

2021-02-18 Thread Karl O. Pinc via rsync 
On Thu, 18 Feb 2021 12:22:33 -0500
Kevin Korb via rsync  wrote:

> You should both look into rrsync.  It comes with rsync and is designed
> to do exactly this.  

I'm not really interested in restricting rsync to particular
directories.  That seems to be what rrsync is for, although
it's a little hard to tell -- there's also a read-only option.

>  Unfortunately some Linux distros are maintained
> by insane people who install rrsync as if it was documentation
> (compressed and not executable) instead of a helper script which is
> what it is.  

FWIW, my uninformed guess is that Debian does not install
rrsync as an executable script because nobody has gotten around to
writing a it a man page.  A man page is required by Debian
policy for every executable.  

The good news is that rrsync is not compressed in Debian.  :)  The bad
news is I don't even see a bug report requesting rrsync, or
anything else in /usr/share/doc/rsync/scripts/, be executable.

Regards,

Karl 
Free Software:  "You don't pay back, you pay forward."
 -- Robert A. Heinlein

-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Re: rsync support in authprogs - feedback requested

2021-02-18 Thread Bri Hatch via rsync 
I'm aware of rrsync, and it works well for its use case.

We use authprogs for more than just rsync though, and want more granularity
than rrsync can support. If you force rrsync for the ssh key via
command="rrsync" then that key may only be used to run rsync, you can't
also allow additional commands. From a CI/CD perspective it may be useful
to have the client side rsync some files, restart some services, and not
need to use separate keys for each.

Additionally, we'd like to be able to limit some of the feature flags (e.g.
allow/disallow links), or support multiple paths (/opt/pkgs/somedir/ and
/srv/someotherdir) without making separate ssh identities and
authorized_keys entries for each.





On Thu, Feb 18, 2021 at 9:22 AM Kevin Korb via rsync 
wrote:

> You should both look into rrsync.  It comes with rsync and is designed
> to do exactly this.  Unfortunately some Linux distros are maintained by
> insane people who install rrsync as if it was documentation (compressed
> and not executable) instead of a helper script which is what it is.
>
> On 2/18/21 10:28 AM, Karl O. Pinc via rsync wrote:
> > On Wed, 17 Feb 2021 21:52:06 -0800
> > Bri Hatch via rsync  wrote:
> >
> >> I recently added initial rsync support to authprogs.
> >
> >> I'd be very interested in feedback
> >
> > For some 15 years+ (?) I've had a /root/.ssh/authorized keys line
> > that starts with:
> >
> >
> "no-pty,no-agent-forwarding,no-port-forwarding,no-user-rc,no-X11-forwarding,command="rsync
> --server --daemon ."
> >
> > Occasionally I frob the ssh restrictions as new ones are
> > introduced.
> >
> > The remote end uses rsync to backup (with --link-dest) the
> > entire file system.  The idea (iirc) was to restrict
> > the given key so that it would only run rsync.
> > And I think this also forces the local end to use
> > /etc/rsyncd.conf, where there's an additional layer
> > of security via a secrets file and read-only can
> > be set to provide some control.
> >
> > The remote end always runs rsync -- the direction of
> > transfer is static, per-host-pair, but can be either
> > in or out. (Push or pull backups.) The above authorized_keys
> > line does not enforce direction, which might be useful.
> >
> > I only rarely think about tweaking the authorized_keys line,
> > and the rsync options used haven't changed since I got them to work.
> > Without really thinking about it it seems that your
> > authprogs development might be useful.
> >
> > My purpose with this email is to let you do all the
> > thinking and tell me of all the wonderful utility
> > your authprogs work can provides, either now or
> > in the future.  ;-)  Or at least give you some
> > background in case you want to develop in a direction
> > that you think would helpful to me.  If something comes
> > of this I might even turn my brain on again and
> > modify my systems.  :)
> >
> > Regards,
> >
> > Karl 
> > Free Software:  "You don't pay back, you pay forward."
> >  -- Robert A. Heinlein
> >
>
> --
> ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,
> Kevin Korb  Phone:(407) 252-6853
> Systems Administrator   Internet:
> FutureQuest, Inc.   ke...@futurequest.net  (work)
> Orlando, Floridak...@sanitarium.net (personal)
> Web page:   https://sanitarium.net/
> PGP public key available on web site.
> ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,
>
> --
> Please use reply-all for most replies to avoid omitting the mailing list.
> To unsubscribe or change options:
> https://lists.samba.org/mailman/listinfo/rsync
> Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
>


-- 
Bri Hatch, Systems and Security Engineer. http://www.ifokr.org/bri/

The sooner you fall behind, the more time you'll have to catch up.
-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Re: rsync support in authprogs - feedback requested

2021-02-18 Thread Kevin Korb via rsync 
You should both look into rrsync.  It comes with rsync and is designed
to do exactly this.  Unfortunately some Linux distros are maintained by
insane people who install rrsync as if it was documentation (compressed
and not executable) instead of a helper script which is what it is.

On 2/18/21 10:28 AM, Karl O. Pinc via rsync wrote:
> On Wed, 17 Feb 2021 21:52:06 -0800
> Bri Hatch via rsync  wrote:
> 
>> I recently added initial rsync support to authprogs.
> 
>> I'd be very interested in feedback 
> 
> For some 15 years+ (?) I've had a /root/.ssh/authorized keys line
> that starts with:
> 
> "no-pty,no-agent-forwarding,no-port-forwarding,no-user-rc,no-X11-forwarding,command="rsync
>  --server --daemon ."
> 
> Occasionally I frob the ssh restrictions as new ones are
> introduced.
> 
> The remote end uses rsync to backup (with --link-dest) the
> entire file system.  The idea (iirc) was to restrict
> the given key so that it would only run rsync.
> And I think this also forces the local end to use
> /etc/rsyncd.conf, where there's an additional layer
> of security via a secrets file and read-only can
> be set to provide some control.
> 
> The remote end always runs rsync -- the direction of 
> transfer is static, per-host-pair, but can be either
> in or out. (Push or pull backups.) The above authorized_keys 
> line does not enforce direction, which might be useful.
> 
> I only rarely think about tweaking the authorized_keys line, 
> and the rsync options used haven't changed since I got them to work.
> Without really thinking about it it seems that your
> authprogs development might be useful.  
> 
> My purpose with this email is to let you do all the 
> thinking and tell me of all the wonderful utility
> your authprogs work can provides, either now or
> in the future.  ;-)  Or at least give you some
> background in case you want to develop in a direction
> that you think would helpful to me.  If something comes
> of this I might even turn my brain on again and
> modify my systems.  :)
> 
> Regards,
> 
> Karl 
> Free Software:  "You don't pay back, you pay forward."
>  -- Robert A. Heinlein
> 

-- 
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,
Kevin Korb  Phone:(407) 252-6853
Systems Administrator   Internet:
FutureQuest, Inc.   ke...@futurequest.net  (work)
Orlando, Floridak...@sanitarium.net (personal)
Web page:   https://sanitarium.net/
PGP public key available on web site.
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,

-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Re: rsync support in authprogs - feedback requested

2021-02-18 Thread Karl O. Pinc via rsync 
On Wed, 17 Feb 2021 21:52:06 -0800
Bri Hatch via rsync  wrote:

> I recently added initial rsync support to authprogs.

> I'd be very interested in feedback 

For some 15 years+ (?) I've had a /root/.ssh/authorized keys line
that starts with:

"no-pty,no-agent-forwarding,no-port-forwarding,no-user-rc,no-X11-forwarding,command="rsync
 --server --daemon ."

Occasionally I frob the ssh restrictions as new ones are
introduced.

The remote end uses rsync to backup (with --link-dest) the
entire file system.  The idea (iirc) was to restrict
the given key so that it would only run rsync.
And I think this also forces the local end to use
/etc/rsyncd.conf, where there's an additional layer
of security via a secrets file and read-only can
be set to provide some control.

The remote end always runs rsync -- the direction of 
transfer is static, per-host-pair, but can be either
in or out. (Push or pull backups.) The above authorized_keys 
line does not enforce direction, which might be useful.

I only rarely think about tweaking the authorized_keys line, 
and the rsync options used haven't changed since I got them to work.
Without really thinking about it it seems that your
authprogs development might be useful.  

My purpose with this email is to let you do all the 
thinking and tell me of all the wonderful utility
your authprogs work can provides, either now or
in the future.  ;-)  Or at least give you some
background in case you want to develop in a direction
that you think would helpful to me.  If something comes
of this I might even turn my brain on again and
modify my systems.  :)

Regards,

Karl 
Free Software:  "You don't pay back, you pay forward."
 -- Robert A. Heinlein

-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

rsync support in authprogs - feedback requested

2021-02-17 Thread Bri Hatch via rsync 
Authprogs  is a general purpose SSH
command authenticator; it allows you to restrict what commands are allowed
for a given SSH key. It's installable via pip and is in recent Debian and
Ubuntu.

I recently added initial rsync support to authprogs. My goal is to make it
an improvement over  rrsync, providing more than just upload vs download
and directory support.


I'd be very interested in feedback from two communities:

* end users/admins who would be interested in the functionality, and
* developers to help sanity check the implementation

While authprogs has been around for many years, this is the first version
that supports rsync natively. Here's an example config:

from:
- 10.1.0.0/16
- 192.168.0.15
allow:
# Allow rsync to recursively sync /tmp/foo/ to the server
# including all the bits you get with '-a', but do not
# allow downloads
- rule_type: rsync
  allow_upload: true
  allow_recursion: true
  allow_archive: true
  paths:
- /tmp/foo

# Allow upload to some specific /srv/htdocs files and
# any files/directories under /data/lhc/
#
# Allow setting times, owner, and group, but no other options
- rule_type: rsync
  allow_upload: true
  allow_owner: true
  allow_group: true
  allow_times: true
  paths:
- /srv/htdocs/index.html
- /srv/htdocs/status.html
  path_startswith:
- /data/lhc/


I've just started scratching the surface of the server-side options of
rsync, but have implemented all the most common ones (-a, -logptrD, --del,
--delete-*, -, etc).

The rsync docs are at
https://github.com/daethnir/authprogs/blob/main/doc/authprogs.md#rsync-subrules


Feedback heartily requested.


-- 
Bri Hatch, Systems and Security Engineer. http://www.ifokr.org/bri/

The sooner you fall behind, the more time you'll have to catch up.
-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html