FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 07-29-2008, 04:31 PM
Kai Schaetzl
 
Default securing rsync over ssh

I want to secure some remote rsyncs over ssh by using the command= option
in .authorized_keys.
As I understand I can use only the full command there, as it is not a list
of "allowed commands" but the command that will be executed when logging
in with this key.
Now, I'm running several rsync commands on individual directories in the
root, not just one command. I do that to pull different exclude lists in.
I want to exclude nothing in some directories and a few different things
in other directories. rsyncing per /rooted directory seems to be the
cleanest and easiest way. All other combinations of complicated
exclude/include lists may have unexpected results.
I thought about putting the remote command in a shell script. However, I
think this won't work as each rsync on the remote side will be executed
with the first rsync command in the script on the local side.
Is there a solution (besides using several keys or so)?

Kai

--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-29-2008, 06:43 PM
Mike
 
Default securing rsync over ssh

On Tue, 29 Jul 2008, Kai Schaetzl wrote:


I want to secure some remote rsyncs over ssh by using the command= option
in .authorized_keys.
As I understand I can use only the full command there, as it is not a list
of "allowed commands" but the command that will be executed when logging
in with this key.
Now, I'm running several rsync commands on individual directories in the
root, not just one command. I do that to pull different exclude lists in.
I want to exclude nothing in some directories and a few different things
in other directories. rsyncing per /rooted directory seems to be the
cleanest and easiest way. All other combinations of complicated
exclude/include lists may have unexpected results.
I thought about putting the remote command in a shell script. However, I
think this won't work as each rsync on the remote side will be executed
with the first rsync command in the script on the local side.
Is there a solution (besides using several keys or so)?

Kai

--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com


By 'secure some remote rsyncs' do you mean only allow rsync but not
interactive login? If so perhaps this will meet your needs:
http://troy.jdmz.net/rsync/index.html


-- Mike
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-29-2008, 07:17 PM
Glenn
 
Default securing rsync over ssh

At 02:43 PM 7/29/2008, you wrote:

On Tue, 29 Jul 2008, Kai Schaetzl wrote:


I want to secure some remote rsyncs over ssh by using the command= option
in .authorized_keys.
As I understand I can use only the full command there, as it is not a list
of "allowed commands" but the command that will be executed when logging
in with this key.
Now, I'm running several rsync commands on individual directories in the
root, not just one command. I do that to pull different exclude lists in.
I want to exclude nothing in some directories and a few different things
in other directories. rsyncing per /rooted directory seems to be the
cleanest and easiest way. All other combinations of complicated
exclude/include lists may have unexpected results.
I thought about putting the remote command in a shell script. However, I
think this won't work as each rsync on the remote side will be executed
with the first rsync command in the script on the local side.
Is there a solution (besides using several keys or so)?

Kai

--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com


By 'secure some remote rsyncs' do you mean only
allow rsync but not interactive login? If so
perhaps this will meet your needs: http://troy.jdmz.net/rsync/index.html


Hello Kai,

I wanted to reply with a solution, but I did not
quite understand the problem.. It certainly
appears that you have the rsync and ssh skills/competency to do what you want.


Thanks,
Glenn Parsons


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-29-2008, 08:25 PM
Kai Schaetzl
 
Default securing rsync over ssh

Mike wrote on Tue, 29 Jul 2008 11:43:09 -0700 (MST):

> By 'secure some remote rsyncs' do you mean only allow rsync but not
> interactive login? If so perhaps this will meet your needs:
> http://troy.jdmz.net/rsync/index.html

This looks good. It uses a script on the remote side that checks the
beginning of the command and thus avoids the limitation with adding a
fixed rsync command in authorized_keys. Thanks!

Kai

--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-29-2008, 08:25 PM
Kai Schaetzl
 
Default securing rsync over ssh

Glenn wrote on Tue, 29 Jul 2008 15:17:08 -0400:

> I wanted to reply with a solution, but I did not
> quite understand the problem.

The problem is that if you use a "forced command" in authorized_keys that
is the only command that runs with this key. If you want to use a few
more, even if they only differ in parameters, like rsync commands with
different options, this won't work - so you're stuck with that one command
or need a different solution. However, it's the only solution that you
will find googling up and down the net.
That one at troy.jdmz.net is different and looks promnising.

Kai

--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 07:36 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org