MAINTENANCE OUTAGE: The University Wiki Service will undergo maintenance on September 26th, 2017, from 6 pm to 8 pm. During this 2 hour time period https://wikis.utexas.edu may be unavailable. Users are advised to save content locally that may be needed during this time and to otherwise save all edits as unsaved work may be lost. Please contact the UT Service Desk at 512-475-9400 for any questions.
The University Wiki Service has upgraded the Confluence Server software, from version 5.9.14 to 5.10.8. Please refer to the knowledge base article, KB0015891, for a high level summary of upgrade changes. Thank you!
Skip to end of metadata
Go to start of metadata

 

I need an automated program on machine "seq" to rsync to machine "four" as user "miseq".  To maintain security, I only want to allow this automated process to run rsync - nothing else.

Steps:

  1. On "seq", run 

    ssh-keygen -t rsa

    enter NO passphrase - just hit return both times.  Do NOT use "id_rsa" as the name of the private key file - name it something like "id_rsa.seq2four".  Note that this also creates the file id_rsa.pub - you will need the line inside this file for the next step on "four".

  2. On "four", create or append to the file ~.ssh/authorized_keys the single line key that was in id_rsa.pub on "seq" generated in step 1, or use "ssh-copy-id -i id_rsa.seq2four <user>@<four>.

  3. Create an executable shell script on "four" that contains this simple script - let's call it "~/bin/validate-rsync-ssh.sh":

  1. #!/bin/bash
    case "$SSH_ORIGINAL_COMMAND" in
    	rsync\ --server*)
    		# uncomment for debug
    		# echo "$(date +%Y%m%d): $SSH_ORIGINAL_COMMAND" >> /var/log/ssh-cmd.log
    		$SSH_ORIGINAL_COMMAND
    		;;
    	# debug
    	testconnect)
    		echo "You successfully connected to $(hostname)"
    		;;
    	*)
    		echo "Sorry, command '$SSH_ORIGINAL_COMMAND' is not allowed"
    		exit 1
    		;;
    esac

    Don't forget to make this file executable (chmod +x validate-rsync-ssh.sh).

  2. Pre-pend the text: command="~/bin/validate-rsync-ssh.sh" to your ssh-rsa key in the file ~/.ssh/authorized_keys, with a space between this and the text "ssh-rsa".
  3. Now test everything by doing this command back on "seq":

    ssh -i ~/.ssh/id_rsa.seq2four miq@four testconnect

    This should give you the message from your "validate-rsync-ssh.sh" script, "You successfully connected to four".  Commands other than "testconnect" should give you the, "Sorry, command... is not allowed" error message.

  4. Now try your rsync from "seq" to "four" - it should work smoothly:

    rsync -avP -e 'ssh -i /home/me/.ssh/id_rsa.seq2four' localfiles.txt miq@four:RemoteDir

    Note that the path to your "id_rsa.seq2four" must be absolute - the shell and rsync get confused about who's expanding what when if you try using variables or "~".


    Other notes:

    ssh is VERY picky about the permissions of the .ssh directory on "four" - they MUST be:

     

    miseq@four:~/.ssh$ ls -la
    drwx------  2 miq group 4096 2013-07-25 10:36 .

    IN ADDITION - the .ssh directory should be tight:

    chmod 700 ~/.ssh
    ls -ld .ssh:
    drwx------ 2 miq group 4096 Nov 26 17:25 .ssh

    AND your home dir must be at least 775:

  5. chmod 775 ~
    ls -ld ~
    drwxrwsr-x 22 miq group 4096 Nov 26 17:25 /home/miq
  • No labels