Bug#776691: duplicity no longer works with rssh-protected accounts
On Sat, 31 Jan 2015 18:06:30 +1300, Francois Marier writes: I backup my files using duplicity onto an ssh server. The user account I use on that server has a shell of /usr/bin/rssh. Unfortunately, 0.7 no longer works in that configuration: $ duplicity cleanup --ssh-options=-oIdentityFile=id_rsa --force scp://user@ho stname/backup BackendException: scp mkdir failed(1): This account is restricted by rssh. Allowed commands: scp sftp well, if duplicity needs to create a directory but isn't allowed to by the remote shell then that's hardly duplicity's fault. as the scp program doesn't offer making directories, duplicity will open an interactive channel to run mkdir, ditto for listing files with ls. (this is true for both ssh backends, paramiko and ssh+pexpect). the simplest solution is to ditch the legacy scp access and use sftp, ie. change your url to sftp://user@hostname/backup. this works fine with rssh (tested this here, and your rssh also indicates that it does allow sftp). the real advantage is that the sftp protocol provides all the needed commands by itself, ie. no separate channels for mkdir/ls/whatever required. Downgrading to 0.6.24-2 solves the problem. most likely because 0.6 doesn't attempt to create any directories on the fly, or doesn't catch the error. the commands that duplicity runs to create necessary dirs is test -d SOMEDIR || mkdir -p SOMEDIR, which clearly requires that there's a full shell there that understands test, || and mkdir -p. the only alternative would be to run ls as a remote command to determine the dir's existence, parse the output (brittle) then create another remote session to run mkdir. clearly that can't work with rssh ever either, because rssh doesn't let you run ls or mkdir. net result: there are fundamental limitations of the (misnamed) scp access mechanism, which preclude its use with a massively restrictive shell like rssh. use sftp, which works fine with rssh. regards az -- Alexander Zangerl + GPG Key 0xB963BD5F (or 0x42BD645D) + http://snafu.priv.at/ You possess a mind not merely twisted, but actually sprained. -- BSD fortune file signature.asc Description: Digital Signature
Bug#776691: duplicity no longer works with rssh-protected accounts
Package: duplicity Version: 0.7.01-1 Severity: normal I backup my files using duplicity onto an ssh server. The user account I use on that server has a shell of /usr/bin/rssh. Unfortunately, 0.7 no longer works in that configuration: $ duplicity cleanup --ssh-options=-oIdentityFile=id_rsa --force scp://user@hostname/backup BackendException: scp mkdir failed(1): This account is restricted by rssh. Allowed commands: scp sftp If you believe this is in error, please contact your system administrator. $ duplicity list-current-files --ssh-options=-oIdentityFile=id_rsa scp://user@hostname/backup BackendException: scp mkdir failed(1): This account is restricted by rssh. Allowed commands: scp sftp If you believe this is in error, please contact your system administrator. It looks like the problem is that the new version of duplicity tries to do an mkdir and that's not allowed by rssh. It would be good to restore the ability to use restricted shells because I don't want to use a full shell for my backup user accounts given that they use password-less ssh keys. Downgrading to 0.6.24-2 solves the problem. Francois -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_CA.utf8, LC_CTYPE=fr_CA.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages duplicity depends on: ii libc62.19-13 ii librsync10.9.7-10 ii python 2.7.8-2 ii python-lockfile 1:0.8-2 Versions of packages duplicity recommends: ii python-oauthlib 0.6.3-1 ii python-paramiko 1.15.1-1 ii python-urllib3 1.9.1-3 ii rsync3.1.1-2+b1 Versions of packages duplicity suggests: pn lftpnone ii ncftp 2:3.2.5-1.1 ii python-boto 2.34.0-2 pn python-cloudfiles none pn python-gdatanone pn python-swiftclient none pn tahoe-lafs none -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776691: duplicity no longer works with rssh-protected accounts
On 2015-01-31 at 15:49:48, Alexander Zangerl wrote: the simplest solution is to ditch the legacy scp access and use sftp, ie. change your url to sftp://user@hostname/backup. this works fine with rssh (tested this here, and your rssh also indicates that it does allow sftp). Indeed, I can confirm that switching to sftp solves my problem. Thanks! Downgrading to 0.6.24-2 solves the problem. most likely because 0.6 doesn't attempt to create any directories on the fly, or doesn't catch the error. I would humbly suggest adding a NEWS.Debian to warn about the upgrade from 0.6 to 0.7 and tell people to switch to sftp if they use rssh on the backend. Francois -- Francois Marier identi.ca/fmarier http://fmarier.org twitter.com/fmarier -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776691: duplicity no longer works with rssh-protected accounts
On Sat, 31 Jan 2015 19:58:46 +1300, Francois Marier writes: I would humbly suggest adding a NEWS.Debian to warn about the upgrade from 0.6 to 0.7 and tell people to switch to sftp if they use rssh on the backend. good idea, i'll do that for the next upload. regards az -- Alexander Zangerl + GPG Key 0xB963BD5F (or 0x42BD645D) + http://snafu.priv.at/ :q :q! :wq :w :w! :wq! :quit :quit! :help help helpquit quit quithelp :quitplease :quitnow :leave :shit ^X^C ^C ^D ^Z ^Q QUITDAMMIT ^]:wq signature.asc Description: Digital Signature