Restricting a ssh key to only allow rsync/file transfer?

ssh security rsync ssh-keys
5,900

rrsync is designed to be used as a forced command for a particular key, so it should be exactly what you want.

A forced command is set up using the command option for a key in an authorized keys file and is then always run whenever this key is used for authentication, no matter what command the client requested. But it has access to the requested command so it can for example implement a validated, restricted version of it and that's what rrsync does.

You use it like this:

command="/path/to/rrsync -wo /allowed/directory/",restrict,from="a.b.c.d" ecdsa-sha2-nistp521 AAAAE...

Access for this key is limited to rsync to the /allowed/directory/ only. The -wo (write only) option means that rsync will be only allowed to send to the remote machine, -ro would only allow reading from the remote system, giving no option would allow transfer in both directions.

On the local side when you give arguments to rsync you must give the remote path relative to the allowed directory, so on A you would do eg. rsync -options /local/path root@B: and not rsync -options /local/path root@B:/allowed/directory/.

See also this answer to a different but related question.

Share:
5,900

Related videos on Youtube

Araejay
Author by

Araejay

Updated on September 18, 2022

Comments

  • Araejay
    Araejay almost 2 years

    I have 2 servers (A & B), and I need to rsync files from A to B as root. Allowing root ssh login is possible (PermitRootLogin without-password), but I'd like to lock it down as much as possible. I'm using ssh keys, and (on B) the root ssh key (in /root/.ssh/authorized_keys) is limited to A's IP address (from="x.x.x.x ...").

    But how can I lock (this ssh key) down more? Is it possible to restrict that ssh key to only allow rsync/file transfer (and preferably limited to a certain directory)?

    Researching this points me to ancient web pages that mention scponly shell, or rrsync script from rsync, or rssh from OpenSSH. But how can I set them up for just that key, without making my entire root account be rssh 😉?

    • Admin
      Admin about 5 years
      Here is an answer demonstrating how to use rrsync: serverfault.com/a/915842/117645 rrsync is designed to be used for a particular key, so exactly what you want.
    • Admin
      Admin about 5 years
      @MichałPolitowski that looks interesting. Would you like to add that as an answer?
    • Admin
      Admin about 5 years
      I usually do not send such reminders, but since you explicitly asked for the answer: was it useful?
  • Araejay
    Araejay about 5 years
    Thanks. I'm aware of adding passwords to SSH keys. In this case, a script needs to run every hour or so, and needs to be non-interactive, so I can't have it password protected.
  • aseques
    aseques over 4 years
    After reading about rrsync it seems that it doesn't disable ssh login, the restrictions only affect to rsync.
  • Michał Politowski
    Michał Politowski over 4 years
    @aseques Of course it does not, but it can be used to restrict a particular ssh key to only rsync, which this question is about.
  • Admin
    Admin almost 2 years
    @MichałPolitowski where has this been all my life! Amazing.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to fix warning about ECDSA host key
Do I need to have a passphrase for my SSH RSA key?
Forced to change expired password when using ssh key
How to perform a secure rsync between servers across an unsecured network
Why is SSH password authentication a security risk?
Only allow password authentication to SSH server from internal network
How to use rsync via ssh with rsa key passphrases?
GPG vs SSH keys
Is man-in-the-middle attack a security threat during SSH authentication using keys?
ssh -T [email protected] Permission denied (publickey)