rsync between hosts using commands embedded into authorized_keys (ssh-keys)

I routinely used to transfer data between systems using rsync. Since I wanted the communication to be secure I used ssh-keys, I noticed that my trick for using a command in the key isn't terribly well documented, so here is how I do it...

Goal: Keep /opt/before on machine B in sync with /opt/after on machine A.

On machine A, create an ssh key for this


$ ssh-keygen -f id_rsync

Copy id_rsync.pub from machine A to machine B, create an rsync account for the transfer, place the key into the authorized_keys file on machine B. Add a command to the key so we can transfer the command sent from machine A. We'll be taking the captured command and replacing it in the key later. This way we don't have to work out the options that rsync wants at the receiving end.

~rsync/.ssh/authorized_keys on machine B


command="echo `date` $SSH_ORIGINAL_COMMAND >> ssh.log && exec $SSH_ORIGINAL_COMMAND" ssh-rsa AAAAnotmyrealkeysadly thomas@machineA

Now on machine A


$ rsync -e 'ssh -i id_rsync' -avc /opt/before/ rsync@machineB:/opt/after
./
auth.conf
hiera.yaml -> /etc/hiera.yaml
puppet.conf
modules/

sent 5258 bytes received 61 bytes 3546.00 bytes/sec
total size is 5001 speedup is 0.94

Now on machine B we can look at the contents of the ssh.log file in ~rsync's home directory.

Tue Dec 3 01:34:41 EST 2013 rsync --server -vlogDtprce.iLsf . /opt/after

Cool, now we just have to take that rsync --server part and put that in our key.

~rsync/.ssh/authorized_keys on machine B


command="rsync --server -vlogDtprce.iLsf . /opt/after" ssh-rsa AAAAnotmyrealkeysadly thomas@machineA

Additionally we can add a from clause to make sure that only machineA can send to machineB using this key.

~rsync/.ssh/authorized_keys on machine B


command="rsync --server -vlogDtprce.iLsf . /opt/after",from="machineA" ssh-rsa AAAAnotmyrealkeysadly thomas@machineA

Incidently, if you use this syntax in the keys, you'll get this helpful message in /var/log/secure when you try from the wrong machine...

Dec 3 01:42:57 machineB sshd[22717]: Authentication tried for rsync with correct key but not from a permitted host (host=machineC, ip=192.168.100.1).

Wordpress category: 

Add new comment

Markdown

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Refresh Type the characters you see in this picture. Type the characters you see in the picture; if you can't read them, submit the form and a new image will be generated. Not case sensitive.  Switch to audio verification.