[nycbug-talk] rsync only for backups
George R.
george
Fri Nov 11 18:11:58 EST 2005
Okan Demirmen wrote:
> On Wed 2005.11.09 at 16:05 -0500, Okan Demirmen wrote:
>
>>On Wed 2005.11.09 at 15:52 -0500, George Rosamond wrote:
>>
>>>Have been using this for a few clients to do rsync with OpenSSH on
>>>Windows, so thought I'd spread the word.
>>>
>>>http://freebsdwiki.net/index.php/SSH:_Limiting_to_SCP_or_Rsync_only
>>>
>>>Basically, you compile an rsync/scp/sftp-only shell with the c code
>>>provided (which you can of course edit), and replace the remote user's
>>>shell who's backing up their stuff.
>>
>>i imagine you are using keys, so why not use what sshd(8) gives you?
>
>
> i should have been more clear...
Yes....you are now designated "Okan the Abstract".
Gee, okan, the number in paren after sshd and systrace. . . . is this
the number of times can you say it fast? ;-'
Seriously, Okan and I discussed offlist.. . .
>
> snip of an example ~/.ssh/authorized_keys file:
>
> no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,
> command="/usr/local/bin/rsync /var/symon" ssh-dss ....
> symon_backup_only_key_for_fun_with_keys at example.com
>
> only allows this key to rsync the /var/symon tree. of course, a key for
> every command is silly, but the point is there.
>
>
>>that's just me - try to use what you can in base first.
>>
>>
>>>This is not a 100% secure solution as the user can rsync/scp/sftp to
>>>anywhere that they have rights to. . . but at least it's a start.
>>
>>or systrace(1) ...
>
>
> systrace(1) can be fun and a hair-pulling exercise at the same time ;)
>
This is a route I have to try out. . .
While keys with rsynconly as the shell is a good start, the sshd
enhancements Okan referred to are a good edition, including systrace.
As a packaged solution for server and clients, it's an ideal method for
those consulting or full-timers looking to bring *BSD boxes into their
operations, and it's remarkably low overhead on the Win32 boxes. I will
write it all up at some point, although it's really not even worth the
time it's so simple.
One point, however, make sure you use the OpenSSH for Windows, as some
of the window executible ssh's are ssh1 only.
http://sshwindows.sourceforge.net/
g
More information about the talk
mailing list