2

Possible Duplicate:
simple rsync in crontab without password

I'm implementing remote backups using rsync. The backup server connects to the host containing the stuff to backup (serverX), using certificates. It works great.

But now I want to backup /etc/*, but it requires root permissions. So I changed ssh config to: PermitRootLogin forced-commands-only

And then on /root/.ssh/authorized_keys I have: from="XXX.XXX.XXX.XXX/24",command="/usr/bin/rsync*",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3 (.....)

Then, from the backup server I use this command: /usr/bin/rsync -avz -e ssh root@serverX:/etc localdir/etc

But it does not work because in serverX, it replaces all the command with "/usr/bin/rsync". So all the parameters are lost.

I tried using wildcards in the command clause in authorized_keys to: command="/usr/bin/rsync*" -- but it does not seem to work.

I do not want to specify the entire command in the command clause because I run rsync multiple times with different parameters. I tried putting all inside a bash script, but it got me even more confused, because it seems that it looks for the script in serverX, not in the backup server.

How can I used forced commands for root SSH logins and at the same time use different parameters for those forced commands ?

Solution:

I implemented a solution based on SSH_ORIGINAL_COMMAND environment variable: I created a script in serverX that based on this variable, executes rsync to the backup server.

Now, instead of executing "rsync -avz -e ssh

I, just "ssh root@serverX commandX"

In ServerX I have authorized_keys like this: from="XXX.XXX.XXX.XXX/24",command="/root/bin/backup/myscript.sh",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAA (...)

And myscript.sh looks like this:

#!/bin/bash
if [ ! -n "$SSH_ORIGINAL_COMMAND" ]; then
     echo "No command supplied"
     exit 1
fi

echo "-> $SSH_ORIGINAL_COMMAND"

set $SSH_ORIGINAL_COMMAND
case "$1" in
    command1)
    rsync -avz -e ssh /etc  $BACKUPSERVER_USER@$BACKUPSERVER_SERVER:$REMOTE_BACKUP_BASEDIR
    ;;
*)
    echo "invalid command"
    exit 1
    ;;
esac
Community
  • 1
Alex
  • 151
  • 3
  • 3
    You can use the SSH_ORIGINAL_COMMAND evnironment variable - take a look at this http://serverfault.com/questions/255084/simple-rsync-in-crontab-without-password/255132#255132 or http://serverfault.com/questions/397198/block-interactive-ssh-sessions-while-allowing-certain-commands/397211#397211 – user9517 Nov 16 '12 at 17:59
  • That worked perfectly! – Alex Nov 16 '12 at 19:01

0 Answers0