11

I'm trying to set up rsync to copy the data from a server every day. In order to make the system as restricted as possible, I'm trying to use the mode described in the man page as: "USING RSYNC-DAEMON FEATURES VIA A REMOTE-SHELL CONNECTION"

So I've put a file called rsyncd.conf in roots home folder:

[root]
path = /
read only = true

and tried to copy /etc/passwd over as a test:

rsync -vv -e ssh myserver::root/etc/passwd .

But I get the following:

opening connection using: ssh myserver rsync --server --daemon . 
rsync: connection unexpectedly closed (0 bytes received so far) [receiver]
rsync error: error in rsync protocol data stream (code 12) at io.c(635) [receiver=3.0.3]

The reason I am doing all this is that once I get it working, I plan to restrict access by specifying the command

rsync --server --daemon .

in ~/.ssh/authorized_keys

rjmunro
  • 2,221
  • 4
  • 18
  • 22
  • What is logged in /var/log/secure or /var/log/messages on the receiving server? – Dave Cheney May 09 '09 at 14:39
  • It was: rsync: unable to open configuration file "/etc/rsyncd.conf": No such file or directory (2) Thanks, that led to a solution, which I will post as an answer. – rjmunro May 12 '09 at 18:04

2 Answers2

11

There seems to be a bug in the documentation or the implimentation of rsync. man rsync says:

Rsync supports connecting to a host using a remote shell and then spawning a single-use “daemon” server that expects to read its config file in the home dir of the remote user.

but when connecting to root, according to /var/log/messages, it was looking in /etc/rsyncd.conf for the config file (the standard location for an rsyncd.conf file when not used over SSH.

I had to force the ssh server to use the right config file by adding

command="rsync --config=/root/rsyncd.conf --server --daemon ."

to /root/.ssh/authorized_keys.

The reason I didn't just put the config in the default location is that I didn't want someone to accidentally start a normal rsync daemon - I only want a daemon to have this much access when it has got the correct ssh key.

rjmunro
  • 2,221
  • 4
  • 18
  • 22
5

rsync in daemon mode isn't what I would suggest if you want to lock it down tight as possible. You want to restrict the command that an SSH key is allowed to run and invoke the copy command using that key.

To find out what command to restrict the key to, run the appropriate rsync command line with a slight modification in the ssh command:

rsync -avz -e 'ssh -v' stuff somewhere:/place

You will see a line in the debug output such as:

debug1: Sending command: rsync --server -vlogDtprze.iLs . /place

That exact command is what you want to restrict the key to be able to run in .ssh/authorized_keys:

command="rsync --server -vlogDtprze.iLs . /place" ssh-dss AAAASSHKEY=
MikeyB
  • 38,725
  • 10
  • 102
  • 186
  • 3
    I want to be able to do different read only backups of parts of the system - e.g. backup e-mail & SQL databases every day, but other things once a week. I would need a specific command and a specific key for each possible backup, and I wouldn't be able to do extra ad-hoc backups with the same infrastructure. – rjmunro May 12 '09 at 18:15
  • 2
    Fair enough - I take "In order to make the system as restricted as possible" quite literally :) – MikeyB May 12 '09 at 18:25
  • 1
    You can put multiple commands in a script and pass the script the parameters as first line input. – alecco Dec 05 '13 at 13:46
  • 1
    is there a way to generate the command serial without having to go through the debug info? '-vlogDtprze.iLs' – qodeninja Jun 15 '15 at 19:14