On Friday 08 February 2008 15:37, Douglas A. Tutty wrote:
>> I'd like to avoid root access as OpenBSD disables it by default for
>> a good reason. But so far it seems the most maintainable solution.
>
>You could, with some work, do it differently. On the source box, make
> a tarball of what you want on the destination box. This preserves
> the ownership of the files. Rsync this over as whatever user. Have
> a process on the target box, running as root, extract the tarball
> into place.
Another idea, which is just a slight variation on the rsync-over-ssh
idea is to only allow a root login using a shared key that is coming
from a specific host and running a specific command:
In sshd_config set "PermitRootLogin forced-commands-only". When you set
up the shared key, on the destination prepend something like this to
the key:
from="source.example.com",command="/path/to/validate-rsync"
Make the validate-rsync an executable script with contents similar to
that below. I use this procedure to to rsync between machines where i
do not want root to be able to log in directly and it works just fine.
This idea is explained in greater detail here:
http://troy.jdmz.net/rsync/index.html
or by Googling with terms such as "ssh" and "foced-commands-only".
My validate-rsync:
#!/bin/sh
case "$SSH_ORIGINAL_COMMAND" in
*\&*)
echo "Rejected"
;;
*\(*)
echo "Rejected"
;;
*\{*)
echo "Rejected"
;;
*\;*)
echo "Rejected"
;;
*\<*)
echo "Rejected"
;;
*\`*)
echo "Rejected"
;;
rsync\ --server*)
$SSH_ORIGINAL_COMMAND
;;
*)
echo "Rejected"
;;
esac
------------------------------------------------------------------------
Dan Ramaley Dial Center 118, Drake University
Network Programmer/Analyst 2407 Carpenter Ave
+1 515 271-4540 Des Moines IA 50311 USA
