Trying to setup chroot'd rsync The Next CEO of Stack Overflowsimple rsync in crontab without...
How to Reset Passwords on Multiple Websites Easily?
Any way to transfer all permissions from one role to another?
What does "Its cash flow is deeply negative" mean?
Return the Closest Prime Number
Grabbing quick drinks
Why did we only see the N-1 starfighters in one film?
Opposite of a diet
Can the Reverse Gravity spell affect the Meteor Swarm spell?
How do I get the green key off the shelf in the Dobby level of Lego Harry Potter 2?
How to start emacs in "nothing" mode (`fundamental-mode`)
How should I support this large drywall patch?
MAZDA 3 2006 (UK) - poor acceleration then takes off at 3250 revs
How long to clear the 'suck zone' of a turbofan after start is initiated?
How do spells that require an ability check vs. the caster's spell save DC work?
Was a professor correct to chastise me for writing "Prof. X" rather than "Professor X"?
What can we do to stop prior company from asking us questions?
Are there languages with no euphemisms?
Does the Brexit deal have to be agreed by both Houses?
Why does GHC infer a monomorphic type here, even with MonomorphismRestriction disabled?
Why do remote companies require working in the US?
Does it take more energy to get to Venus or to Mars?
Fastest way to shutdown Ubuntu Mate 18.10
Apart from "berlinern", do any other German dialects have a corresponding verb?
Where to find order of arguments for default functions
Trying to setup chroot'd rsync
The Next CEO of Stack Overflowsimple rsync in crontab without passwordReplace scp with sftpHow to setup a public rsync and sftp serverprocess user differently using ssh keyHow to perform a secure rsync between servers across an unsecured networkscponly worked but didn't chroot the home folder, the user can still browse the entire serverIs it possible to use rsync over sftp (without an ssh shell)?SSH - cannot start sftp-server when trying to force internal sftpChroot / sFtp / Ftps ProblemsSFTP fatal bad ownership or modes for chroot directory ubuntu 12.04adding ChrootDirectory to sshd_config to jail a user prevents the user to loginHow to setup a public rsync and sftp serverSFTP Chroot Ubuntu 10.10SSH - ChrootDirectory not working
I'm trying to set up a backup server.
I want to chroot each user (client) to its home directory, and only allow it to use sftp and rsync.
I quickly discovered that I was not the only one trying to do something like this, and I found this guide and followed it. So now I've got chroot'd users with sftp only.
Then I found out that rsync needs ssh to spawn itself on the other machine, and that sftp is not enough. Giving each user an ssh login is something that I wanted to avoid in the first place.
Can anyone think of some possible solutions?
Thank you,
Mark
ssh backup rsync sftp chroot
add a comment |
I'm trying to set up a backup server.
I want to chroot each user (client) to its home directory, and only allow it to use sftp and rsync.
I quickly discovered that I was not the only one trying to do something like this, and I found this guide and followed it. So now I've got chroot'd users with sftp only.
Then I found out that rsync needs ssh to spawn itself on the other machine, and that sftp is not enough. Giving each user an ssh login is something that I wanted to avoid in the first place.
Can anyone think of some possible solutions?
Thank you,
Mark
ssh backup rsync sftp chroot
Have a look at this answer I wrote some time go serverfault.com/questions/255084/…
– Iain
Jul 6 '11 at 17:54
add a comment |
I'm trying to set up a backup server.
I want to chroot each user (client) to its home directory, and only allow it to use sftp and rsync.
I quickly discovered that I was not the only one trying to do something like this, and I found this guide and followed it. So now I've got chroot'd users with sftp only.
Then I found out that rsync needs ssh to spawn itself on the other machine, and that sftp is not enough. Giving each user an ssh login is something that I wanted to avoid in the first place.
Can anyone think of some possible solutions?
Thank you,
Mark
ssh backup rsync sftp chroot
I'm trying to set up a backup server.
I want to chroot each user (client) to its home directory, and only allow it to use sftp and rsync.
I quickly discovered that I was not the only one trying to do something like this, and I found this guide and followed it. So now I've got chroot'd users with sftp only.
Then I found out that rsync needs ssh to spawn itself on the other machine, and that sftp is not enough. Giving each user an ssh login is something that I wanted to avoid in the first place.
Can anyone think of some possible solutions?
Thank you,
Mark
ssh backup rsync sftp chroot
ssh backup rsync sftp chroot
asked Jul 6 '11 at 16:37
Mark R.Mark R.
51113
51113
Have a look at this answer I wrote some time go serverfault.com/questions/255084/…
– Iain
Jul 6 '11 at 17:54
add a comment |
Have a look at this answer I wrote some time go serverfault.com/questions/255084/…
– Iain
Jul 6 '11 at 17:54
Have a look at this answer I wrote some time go serverfault.com/questions/255084/…
– Iain
Jul 6 '11 at 17:54
Have a look at this answer I wrote some time go serverfault.com/questions/255084/…
– Iain
Jul 6 '11 at 17:54
add a comment |
5 Answers
5
active
oldest
votes
An sftp solution would also require an ssh login for everyone, so you haven't really lost anything here. Granting ssh access does not necessarily imply full shell access, for example, this shows how to use the ssh authorized_keys file to allow backup via rsync while limiting available commands to just the rsync receiver.
In fact, if you opt for key based authentication, rather than password authentication (which you should), you could then run everything under one user account instead of requiring multiple accounts. You would use keys to identify remote users, and direct the rsync receiver at a particular directory.
Something like this, in your authorized_keys file:
command="/usr/bin/rsync --server -a . /tmp/user1" ssh-rsa ... user1
command="/usr/bin/rsync --server -a . /tmp/user2" ssh-rsa ... user2
Someone using the user1 private key will backup into /tmp/user1, and someone using the user2 private key will backup into /tmp/user2. And so forth...
Link is gone 404.
– luckydonald
54 mins ago
I've updated the link.
– larsks
10 mins ago
add a comment |
Execute usual rsync from client to remote server, but add additional verbose switch: SSH -v, then grep for Sending command.
You will see exact command client is sending to remote server:
rsync -avz -e'ssh -v -i /ssh-keys/clientprivate.key' --bwlimit=8000 --delete root@server:/path/ /backup/myserver/ 2>&1 | grep "Sending command"
In my case, it was
rsync --server -vvlogDtprze.iLsf --bwlimit=8000 --delete . /path
Add this as command="..." to remote server /home/USER/.ssh/authorized_keys file as @larsks mentioned.
Add aditional security settings, if necessary:
no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2..CPhIJ+LVULWz arnis@server
All together:
command="rsync --server -vvlogDtprze.iLsf --bwlimit=8000 --delete . /backup/path",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2..CPhIJ+LVULWz arnis@server
(Taken from very good tutorial http://en.positon.org/post/Rsync-command-restriction-over-SSH)
Good 1st answer.
– slm
Jan 1 '13 at 17:29
add a comment |
You are going to need to provide some form of shell access to be able to use rsync unless you are connecting directly to the rsync server - default port is 873 (TCP).
From the rysnc man page:
There are two different ways for rsync to contact a remote system:
using a remote-shell program as the
transport (such as ssh or rsh) or
contacting an rsync daemon directly
via TCP. The remote-shell transport
is used whenever the source or
destination path contains a single
colon (:) separator after a host
specification. Contacting an rsync
daemon directly happens when the
source or destination path contains a
double colon (::) separator after a
host specification, OR when an
rsync:// URL is specified (see also
the lqUSING RSYNC-DAEMON FEATURES VIA
A REMOTE-SHELL CONNECTIONrq section
for an exception to this latter rule).
To provide limited shell access, consider the following guide. (Note: the original link is dead) Summary:
This setup combines the best features
from rsync, SSH, and chroot. Rsync
provides the flexibility and
efficiency in files transfer, SSH
protects the data being transferred,
and chroot protects data on the server
from unauthorized access. The dummysh
limits the access to rsync only.
While rsync server implements chroot,
it lacks the SSH protection that is
often required. Besides, opening an
additional rsync server port presents
a security risk and sometimes is not
possible either technically or
politically. Sftp and scp lack the
flexibility and efficiency provided by
rsync, especially when a directory
tree is involved, such as a Web site.
Or take a look at using rssh (there is a guide to setting up rssh here):
rssh is a restricted shell for use
with OpenSSH, allowing only scp and/or
sftp. It now also includes support for
rdist, rsync, and cvs. For example, if
you have a server which you only want
to allow users to copy files off of
via scp, without providing shell
access, you can use rssh to do that.
1
Current news is that rssh is not being maintained and has some odd security hole. Check back the current state before investing in it.
– chutz
May 19 '12 at 16:40
1
You can use the perl scriptrrsyncinstead of rssh, included in the official rsync package. See derek.simkowiak.net/backing-up-multiple-servers-with-rsnapshot
– unhammer
Jan 17 '13 at 11:21
add a comment |
you can write a shell that wraps rsync.
look at the general idea here: https://sixohthree.com/1458/locking-down-rsync-using-ssh
in your wrapping shell you can do what you want and maybe chroot the user.
In my case I needed to switch on virtual account using the same *nix user. I manage to do so using this kind of shell plus many lines in the authorized_keys file. I have not chrooted the user but I've added a user folder level in the rsync server command.
look at process user differently using ssh key
add a comment |
SFTP with Rsync capabilities, without a shell
You can use LFTP+SFTP in a chroot environment and achieve the same results as using rsync, without providing the user a shell or doing any heavy customizations in ssh with wrappers.
This is more secure and can be substantially faster.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f287578%2ftrying-to-setup-chrootd-rsync%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
An sftp solution would also require an ssh login for everyone, so you haven't really lost anything here. Granting ssh access does not necessarily imply full shell access, for example, this shows how to use the ssh authorized_keys file to allow backup via rsync while limiting available commands to just the rsync receiver.
In fact, if you opt for key based authentication, rather than password authentication (which you should), you could then run everything under one user account instead of requiring multiple accounts. You would use keys to identify remote users, and direct the rsync receiver at a particular directory.
Something like this, in your authorized_keys file:
command="/usr/bin/rsync --server -a . /tmp/user1" ssh-rsa ... user1
command="/usr/bin/rsync --server -a . /tmp/user2" ssh-rsa ... user2
Someone using the user1 private key will backup into /tmp/user1, and someone using the user2 private key will backup into /tmp/user2. And so forth...
Link is gone 404.
– luckydonald
54 mins ago
I've updated the link.
– larsks
10 mins ago
add a comment |
An sftp solution would also require an ssh login for everyone, so you haven't really lost anything here. Granting ssh access does not necessarily imply full shell access, for example, this shows how to use the ssh authorized_keys file to allow backup via rsync while limiting available commands to just the rsync receiver.
In fact, if you opt for key based authentication, rather than password authentication (which you should), you could then run everything under one user account instead of requiring multiple accounts. You would use keys to identify remote users, and direct the rsync receiver at a particular directory.
Something like this, in your authorized_keys file:
command="/usr/bin/rsync --server -a . /tmp/user1" ssh-rsa ... user1
command="/usr/bin/rsync --server -a . /tmp/user2" ssh-rsa ... user2
Someone using the user1 private key will backup into /tmp/user1, and someone using the user2 private key will backup into /tmp/user2. And so forth...
Link is gone 404.
– luckydonald
54 mins ago
I've updated the link.
– larsks
10 mins ago
add a comment |
An sftp solution would also require an ssh login for everyone, so you haven't really lost anything here. Granting ssh access does not necessarily imply full shell access, for example, this shows how to use the ssh authorized_keys file to allow backup via rsync while limiting available commands to just the rsync receiver.
In fact, if you opt for key based authentication, rather than password authentication (which you should), you could then run everything under one user account instead of requiring multiple accounts. You would use keys to identify remote users, and direct the rsync receiver at a particular directory.
Something like this, in your authorized_keys file:
command="/usr/bin/rsync --server -a . /tmp/user1" ssh-rsa ... user1
command="/usr/bin/rsync --server -a . /tmp/user2" ssh-rsa ... user2
Someone using the user1 private key will backup into /tmp/user1, and someone using the user2 private key will backup into /tmp/user2. And so forth...
An sftp solution would also require an ssh login for everyone, so you haven't really lost anything here. Granting ssh access does not necessarily imply full shell access, for example, this shows how to use the ssh authorized_keys file to allow backup via rsync while limiting available commands to just the rsync receiver.
In fact, if you opt for key based authentication, rather than password authentication (which you should), you could then run everything under one user account instead of requiring multiple accounts. You would use keys to identify remote users, and direct the rsync receiver at a particular directory.
Something like this, in your authorized_keys file:
command="/usr/bin/rsync --server -a . /tmp/user1" ssh-rsa ... user1
command="/usr/bin/rsync --server -a . /tmp/user2" ssh-rsa ... user2
Someone using the user1 private key will backup into /tmp/user1, and someone using the user2 private key will backup into /tmp/user2. And so forth...
edited 10 mins ago
answered Jul 6 '11 at 17:47
larskslarsks
34.9k592143
34.9k592143
Link is gone 404.
– luckydonald
54 mins ago
I've updated the link.
– larsks
10 mins ago
add a comment |
Link is gone 404.
– luckydonald
54 mins ago
I've updated the link.
– larsks
10 mins ago
Link is gone 404.
– luckydonald
54 mins ago
Link is gone 404.
– luckydonald
54 mins ago
I've updated the link.
– larsks
10 mins ago
I've updated the link.
– larsks
10 mins ago
add a comment |
Execute usual rsync from client to remote server, but add additional verbose switch: SSH -v, then grep for Sending command.
You will see exact command client is sending to remote server:
rsync -avz -e'ssh -v -i /ssh-keys/clientprivate.key' --bwlimit=8000 --delete root@server:/path/ /backup/myserver/ 2>&1 | grep "Sending command"
In my case, it was
rsync --server -vvlogDtprze.iLsf --bwlimit=8000 --delete . /path
Add this as command="..." to remote server /home/USER/.ssh/authorized_keys file as @larsks mentioned.
Add aditional security settings, if necessary:
no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2..CPhIJ+LVULWz arnis@server
All together:
command="rsync --server -vvlogDtprze.iLsf --bwlimit=8000 --delete . /backup/path",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2..CPhIJ+LVULWz arnis@server
(Taken from very good tutorial http://en.positon.org/post/Rsync-command-restriction-over-SSH)
Good 1st answer.
– slm
Jan 1 '13 at 17:29
add a comment |
Execute usual rsync from client to remote server, but add additional verbose switch: SSH -v, then grep for Sending command.
You will see exact command client is sending to remote server:
rsync -avz -e'ssh -v -i /ssh-keys/clientprivate.key' --bwlimit=8000 --delete root@server:/path/ /backup/myserver/ 2>&1 | grep "Sending command"
In my case, it was
rsync --server -vvlogDtprze.iLsf --bwlimit=8000 --delete . /path
Add this as command="..." to remote server /home/USER/.ssh/authorized_keys file as @larsks mentioned.
Add aditional security settings, if necessary:
no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2..CPhIJ+LVULWz arnis@server
All together:
command="rsync --server -vvlogDtprze.iLsf --bwlimit=8000 --delete . /backup/path",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2..CPhIJ+LVULWz arnis@server
(Taken from very good tutorial http://en.positon.org/post/Rsync-command-restriction-over-SSH)
Good 1st answer.
– slm
Jan 1 '13 at 17:29
add a comment |
Execute usual rsync from client to remote server, but add additional verbose switch: SSH -v, then grep for Sending command.
You will see exact command client is sending to remote server:
rsync -avz -e'ssh -v -i /ssh-keys/clientprivate.key' --bwlimit=8000 --delete root@server:/path/ /backup/myserver/ 2>&1 | grep "Sending command"
In my case, it was
rsync --server -vvlogDtprze.iLsf --bwlimit=8000 --delete . /path
Add this as command="..." to remote server /home/USER/.ssh/authorized_keys file as @larsks mentioned.
Add aditional security settings, if necessary:
no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2..CPhIJ+LVULWz arnis@server
All together:
command="rsync --server -vvlogDtprze.iLsf --bwlimit=8000 --delete . /backup/path",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2..CPhIJ+LVULWz arnis@server
(Taken from very good tutorial http://en.positon.org/post/Rsync-command-restriction-over-SSH)
Execute usual rsync from client to remote server, but add additional verbose switch: SSH -v, then grep for Sending command.
You will see exact command client is sending to remote server:
rsync -avz -e'ssh -v -i /ssh-keys/clientprivate.key' --bwlimit=8000 --delete root@server:/path/ /backup/myserver/ 2>&1 | grep "Sending command"
In my case, it was
rsync --server -vvlogDtprze.iLsf --bwlimit=8000 --delete . /path
Add this as command="..." to remote server /home/USER/.ssh/authorized_keys file as @larsks mentioned.
Add aditional security settings, if necessary:
no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2..CPhIJ+LVULWz arnis@server
All together:
command="rsync --server -vvlogDtprze.iLsf --bwlimit=8000 --delete . /backup/path",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2..CPhIJ+LVULWz arnis@server
(Taken from very good tutorial http://en.positon.org/post/Rsync-command-restriction-over-SSH)
edited Jan 22 '15 at 16:58
answered Jan 1 '13 at 17:02
Arnis JuragaArnis Juraga
16115
16115
Good 1st answer.
– slm
Jan 1 '13 at 17:29
add a comment |
Good 1st answer.
– slm
Jan 1 '13 at 17:29
Good 1st answer.
– slm
Jan 1 '13 at 17:29
Good 1st answer.
– slm
Jan 1 '13 at 17:29
add a comment |
You are going to need to provide some form of shell access to be able to use rsync unless you are connecting directly to the rsync server - default port is 873 (TCP).
From the rysnc man page:
There are two different ways for rsync to contact a remote system:
using a remote-shell program as the
transport (such as ssh or rsh) or
contacting an rsync daemon directly
via TCP. The remote-shell transport
is used whenever the source or
destination path contains a single
colon (:) separator after a host
specification. Contacting an rsync
daemon directly happens when the
source or destination path contains a
double colon (::) separator after a
host specification, OR when an
rsync:// URL is specified (see also
the lqUSING RSYNC-DAEMON FEATURES VIA
A REMOTE-SHELL CONNECTIONrq section
for an exception to this latter rule).
To provide limited shell access, consider the following guide. (Note: the original link is dead) Summary:
This setup combines the best features
from rsync, SSH, and chroot. Rsync
provides the flexibility and
efficiency in files transfer, SSH
protects the data being transferred,
and chroot protects data on the server
from unauthorized access. The dummysh
limits the access to rsync only.
While rsync server implements chroot,
it lacks the SSH protection that is
often required. Besides, opening an
additional rsync server port presents
a security risk and sometimes is not
possible either technically or
politically. Sftp and scp lack the
flexibility and efficiency provided by
rsync, especially when a directory
tree is involved, such as a Web site.
Or take a look at using rssh (there is a guide to setting up rssh here):
rssh is a restricted shell for use
with OpenSSH, allowing only scp and/or
sftp. It now also includes support for
rdist, rsync, and cvs. For example, if
you have a server which you only want
to allow users to copy files off of
via scp, without providing shell
access, you can use rssh to do that.
1
Current news is that rssh is not being maintained and has some odd security hole. Check back the current state before investing in it.
– chutz
May 19 '12 at 16:40
1
You can use the perl scriptrrsyncinstead of rssh, included in the official rsync package. See derek.simkowiak.net/backing-up-multiple-servers-with-rsnapshot
– unhammer
Jan 17 '13 at 11:21
add a comment |
You are going to need to provide some form of shell access to be able to use rsync unless you are connecting directly to the rsync server - default port is 873 (TCP).
From the rysnc man page:
There are two different ways for rsync to contact a remote system:
using a remote-shell program as the
transport (such as ssh or rsh) or
contacting an rsync daemon directly
via TCP. The remote-shell transport
is used whenever the source or
destination path contains a single
colon (:) separator after a host
specification. Contacting an rsync
daemon directly happens when the
source or destination path contains a
double colon (::) separator after a
host specification, OR when an
rsync:// URL is specified (see also
the lqUSING RSYNC-DAEMON FEATURES VIA
A REMOTE-SHELL CONNECTIONrq section
for an exception to this latter rule).
To provide limited shell access, consider the following guide. (Note: the original link is dead) Summary:
This setup combines the best features
from rsync, SSH, and chroot. Rsync
provides the flexibility and
efficiency in files transfer, SSH
protects the data being transferred,
and chroot protects data on the server
from unauthorized access. The dummysh
limits the access to rsync only.
While rsync server implements chroot,
it lacks the SSH protection that is
often required. Besides, opening an
additional rsync server port presents
a security risk and sometimes is not
possible either technically or
politically. Sftp and scp lack the
flexibility and efficiency provided by
rsync, especially when a directory
tree is involved, such as a Web site.
Or take a look at using rssh (there is a guide to setting up rssh here):
rssh is a restricted shell for use
with OpenSSH, allowing only scp and/or
sftp. It now also includes support for
rdist, rsync, and cvs. For example, if
you have a server which you only want
to allow users to copy files off of
via scp, without providing shell
access, you can use rssh to do that.
1
Current news is that rssh is not being maintained and has some odd security hole. Check back the current state before investing in it.
– chutz
May 19 '12 at 16:40
1
You can use the perl scriptrrsyncinstead of rssh, included in the official rsync package. See derek.simkowiak.net/backing-up-multiple-servers-with-rsnapshot
– unhammer
Jan 17 '13 at 11:21
add a comment |
You are going to need to provide some form of shell access to be able to use rsync unless you are connecting directly to the rsync server - default port is 873 (TCP).
From the rysnc man page:
There are two different ways for rsync to contact a remote system:
using a remote-shell program as the
transport (such as ssh or rsh) or
contacting an rsync daemon directly
via TCP. The remote-shell transport
is used whenever the source or
destination path contains a single
colon (:) separator after a host
specification. Contacting an rsync
daemon directly happens when the
source or destination path contains a
double colon (::) separator after a
host specification, OR when an
rsync:// URL is specified (see also
the lqUSING RSYNC-DAEMON FEATURES VIA
A REMOTE-SHELL CONNECTIONrq section
for an exception to this latter rule).
To provide limited shell access, consider the following guide. (Note: the original link is dead) Summary:
This setup combines the best features
from rsync, SSH, and chroot. Rsync
provides the flexibility and
efficiency in files transfer, SSH
protects the data being transferred,
and chroot protects data on the server
from unauthorized access. The dummysh
limits the access to rsync only.
While rsync server implements chroot,
it lacks the SSH protection that is
often required. Besides, opening an
additional rsync server port presents
a security risk and sometimes is not
possible either technically or
politically. Sftp and scp lack the
flexibility and efficiency provided by
rsync, especially when a directory
tree is involved, such as a Web site.
Or take a look at using rssh (there is a guide to setting up rssh here):
rssh is a restricted shell for use
with OpenSSH, allowing only scp and/or
sftp. It now also includes support for
rdist, rsync, and cvs. For example, if
you have a server which you only want
to allow users to copy files off of
via scp, without providing shell
access, you can use rssh to do that.
You are going to need to provide some form of shell access to be able to use rsync unless you are connecting directly to the rsync server - default port is 873 (TCP).
From the rysnc man page:
There are two different ways for rsync to contact a remote system:
using a remote-shell program as the
transport (such as ssh or rsh) or
contacting an rsync daemon directly
via TCP. The remote-shell transport
is used whenever the source or
destination path contains a single
colon (:) separator after a host
specification. Contacting an rsync
daemon directly happens when the
source or destination path contains a
double colon (::) separator after a
host specification, OR when an
rsync:// URL is specified (see also
the lqUSING RSYNC-DAEMON FEATURES VIA
A REMOTE-SHELL CONNECTIONrq section
for an exception to this latter rule).
To provide limited shell access, consider the following guide. (Note: the original link is dead) Summary:
This setup combines the best features
from rsync, SSH, and chroot. Rsync
provides the flexibility and
efficiency in files transfer, SSH
protects the data being transferred,
and chroot protects data on the server
from unauthorized access. The dummysh
limits the access to rsync only.
While rsync server implements chroot,
it lacks the SSH protection that is
often required. Besides, opening an
additional rsync server port presents
a security risk and sometimes is not
possible either technically or
politically. Sftp and scp lack the
flexibility and efficiency provided by
rsync, especially when a directory
tree is involved, such as a Web site.
Or take a look at using rssh (there is a guide to setting up rssh here):
rssh is a restricted shell for use
with OpenSSH, allowing only scp and/or
sftp. It now also includes support for
rdist, rsync, and cvs. For example, if
you have a server which you only want
to allow users to copy files off of
via scp, without providing shell
access, you can use rssh to do that.
edited Jun 9 '17 at 20:01
Mark
13015
13015
answered Jul 6 '11 at 17:48
runlevelsixrunlevelsix
2,2511719
2,2511719
1
Current news is that rssh is not being maintained and has some odd security hole. Check back the current state before investing in it.
– chutz
May 19 '12 at 16:40
1
You can use the perl scriptrrsyncinstead of rssh, included in the official rsync package. See derek.simkowiak.net/backing-up-multiple-servers-with-rsnapshot
– unhammer
Jan 17 '13 at 11:21
add a comment |
1
Current news is that rssh is not being maintained and has some odd security hole. Check back the current state before investing in it.
– chutz
May 19 '12 at 16:40
1
You can use the perl scriptrrsyncinstead of rssh, included in the official rsync package. See derek.simkowiak.net/backing-up-multiple-servers-with-rsnapshot
– unhammer
Jan 17 '13 at 11:21
1
1
Current news is that rssh is not being maintained and has some odd security hole. Check back the current state before investing in it.
– chutz
May 19 '12 at 16:40
Current news is that rssh is not being maintained and has some odd security hole. Check back the current state before investing in it.
– chutz
May 19 '12 at 16:40
1
1
You can use the perl script
rrsync instead of rssh, included in the official rsync package. See derek.simkowiak.net/backing-up-multiple-servers-with-rsnapshot– unhammer
Jan 17 '13 at 11:21
You can use the perl script
rrsync instead of rssh, included in the official rsync package. See derek.simkowiak.net/backing-up-multiple-servers-with-rsnapshot– unhammer
Jan 17 '13 at 11:21
add a comment |
you can write a shell that wraps rsync.
look at the general idea here: https://sixohthree.com/1458/locking-down-rsync-using-ssh
in your wrapping shell you can do what you want and maybe chroot the user.
In my case I needed to switch on virtual account using the same *nix user. I manage to do so using this kind of shell plus many lines in the authorized_keys file. I have not chrooted the user but I've added a user folder level in the rsync server command.
look at process user differently using ssh key
add a comment |
you can write a shell that wraps rsync.
look at the general idea here: https://sixohthree.com/1458/locking-down-rsync-using-ssh
in your wrapping shell you can do what you want and maybe chroot the user.
In my case I needed to switch on virtual account using the same *nix user. I manage to do so using this kind of shell plus many lines in the authorized_keys file. I have not chrooted the user but I've added a user folder level in the rsync server command.
look at process user differently using ssh key
add a comment |
you can write a shell that wraps rsync.
look at the general idea here: https://sixohthree.com/1458/locking-down-rsync-using-ssh
in your wrapping shell you can do what you want and maybe chroot the user.
In my case I needed to switch on virtual account using the same *nix user. I manage to do so using this kind of shell plus many lines in the authorized_keys file. I have not chrooted the user but I've added a user folder level in the rsync server command.
look at process user differently using ssh key
you can write a shell that wraps rsync.
look at the general idea here: https://sixohthree.com/1458/locking-down-rsync-using-ssh
in your wrapping shell you can do what you want and maybe chroot the user.
In my case I needed to switch on virtual account using the same *nix user. I manage to do so using this kind of shell plus many lines in the authorized_keys file. I have not chrooted the user but I've added a user folder level in the rsync server command.
look at process user differently using ssh key
edited Apr 13 '17 at 12:14
Community♦
1
1
answered Jan 14 '17 at 12:18
quazardousquazardous
1024
1024
add a comment |
add a comment |
SFTP with Rsync capabilities, without a shell
You can use LFTP+SFTP in a chroot environment and achieve the same results as using rsync, without providing the user a shell or doing any heavy customizations in ssh with wrappers.
This is more secure and can be substantially faster.
add a comment |
SFTP with Rsync capabilities, without a shell
You can use LFTP+SFTP in a chroot environment and achieve the same results as using rsync, without providing the user a shell or doing any heavy customizations in ssh with wrappers.
This is more secure and can be substantially faster.
add a comment |
SFTP with Rsync capabilities, without a shell
You can use LFTP+SFTP in a chroot environment and achieve the same results as using rsync, without providing the user a shell or doing any heavy customizations in ssh with wrappers.
This is more secure and can be substantially faster.
SFTP with Rsync capabilities, without a shell
You can use LFTP+SFTP in a chroot environment and achieve the same results as using rsync, without providing the user a shell or doing any heavy customizations in ssh with wrappers.
This is more secure and can be substantially faster.
answered Jun 9 '17 at 22:00
AaronAaron
2,4042826
2,4042826
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f287578%2ftrying-to-setup-chrootd-rsync%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Have a look at this answer I wrote some time go serverfault.com/questions/255084/…
– Iain
Jul 6 '11 at 17:54