2014-08-21 8:47 GMT+02:00 Markus Rosjat <[email protected]>:
> Just a short heads up how I did it now and you guys might want to share your
> opinion on the security with this scenario.
>
> maschine A (from were I want to pull files):
> - root cant login over ssh
> - sync user can only connect with auth key and from host B
> - sync user is allowed to run rsync without pw (sudoer file)
The setup I use
- a separate non-privileged user
- a forced command (via the ssh key without password) to a script that
checks the incoming command and then calls sudo rsync
So someone controlling machine B can _read_ everything, but write
nothing.
Best
Martin
#!/usr/bin/env bash
# $Id: rrsync.sh,v 1.3 2007/07/01 12:40:14 remote-backup Exp $
case "$SSH_ORIGINAL_COMMAND" in
*"rsync --server --sender"*)
logger -t rrsync "$SSH_ORIGINAL_COMMAND"
sudo $SSH_ORIGINAL_COMMAND
;;
*)
echo "Sorry, command rejected"
exit 1
;;
esac
# vim: syntax=csh
