Validating rsync via SSH authorized_keys command=“…” Unicorn Meta Zoo #1: Why another...
Simulate round-robin tournament draw
What happened to Viserion in Season 7?
Does a Draconic Bloodline sorcerer's doubled proficiency bonus for Charisma checks against dragons apply to all dragon types or only the chosen one?
Why do people think Winterfell crypts is the safest place for women, children & old people?
Preserving file and folder permissions with rsync
When does Bran Stark remember Jamie pushing him?
Was Objective-C really a hindrance to Apple software development?
Did war bonds have better investment alternatives during WWII?
Putting Ant-Man on house arrest
Has a Nobel Peace laureate ever been accused of war crimes?
Are these square matrices always diagonalisable?
Is it accepted to use working hours to read general interest books?
Like totally amazing interchangeable sister outfit accessory swapping or whatever
What is the ongoing value of the Kanban board to the developers as opposed to management
`FindRoot [ ]`::jsing: Encountered a singular Jacobian at a point...WHY
Why did Israel vote against lifting the American embargo on Cuba?
Will I be more secure with my own router behind my ISP's router?
false 'Security alert' from Google - every login generates mails from 'no-reply@accounts.google.com'
What's parked in Mil Moscow helicopter plant?
Test if all elements of a Foldable are the same
What does the black goddess statue do and what is it?
What is a 'Key' in computer science?
What is /etc/mtab in Linux?
What *exactly* is electrical current, voltage, and resistance?
Validating rsync via SSH authorized_keys command=“…”
Unicorn Meta Zoo #1: Why another podcast?
Announcing the arrival of Valued Associate #679: Cesar Manara
Come Celebrate our 10 Year Anniversary!Restrict rsync over ssh read only / only copy from remote hostIs it possible to use rsync over sftp (without an ssh shell)?sshd_config ForceCommand /usr/bin/rsync error “connection unexpectedly closed”DeltaCopy (Rsync for windows) giving an error on task runrsync connection closing right around an hourwhy rsync is not working with crontab?SVN Post Commit Issue (Calling Bash)Rsync with ssh and root not working after change hosts IPRsnapshot frequently exits with error 12 when processing tar.gz filessh connects okay from command line but from cron using publickeyCygwin Windows < Linux rsync - connection unexpectedly closed
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
I'm trying to validate rsync via sshd's authorized_keys file.
The problem is I can't manage to execute rsync from the validating script.
Here's my authorized_keys file:
command="/home/username/Desktop/valrsync username" ssh-rsa AAAA [...]
Here's the valrsync script attempted differently each time:
Test 1 -
$SSH_ORIGINAL_COMMAND
Output -
$ rsync [...] / username@remotemachine:/
/home/username/Desktop/valrsync: line 2: rsync: command not found
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(601) [sender=3.0.7]
And, more importantly, Test 2 -
#!/usr/bin/python
import os
os.system(os.getenv('SSH_ORIGINAL_COMMAND'))
Output (running rsync from the local machine and getting the output of valrsync on the remote machine) -
$ rsync [...] / username@remotemachine:/
sh: rsync: command not found
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(601) [sender=3.0.7]
I understand that rsync somehow spawns an instance of itself at the remote machine, and obviously that instance is not referred when I attempt to execute the rsync command via the script. rsync is not installed on the server, and I know it shouldn't be.
Now the question is, what can I do about it (except maybe installing rsync on the server...?)
ssh rsync
asked Jul 7 '11 at 18:54
MarkMark
62
add a comment |
I'm trying to validate rsync via sshd's authorized_keys file.
The problem is I can't manage to execute rsync from the validating script.
Here's my authorized_keys file:
command="/home/username/Desktop/valrsync username" ssh-rsa AAAA [...]
Here's the valrsync script attempted differently each time:
Test 1 -
$SSH_ORIGINAL_COMMAND
Output -
$ rsync [...] / username@remotemachine:/
/home/username/Desktop/valrsync: line 2: rsync: command not found
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(601) [sender=3.0.7]
And, more importantly, Test 2 -
#!/usr/bin/python
import os
os.system(os.getenv('SSH_ORIGINAL_COMMAND'))
Output (running rsync from the local machine and getting the output of valrsync on the remote machine) -
$ rsync [...] / username@remotemachine:/
sh: rsync: command not found
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(601) [sender=3.0.7]
I understand that rsync somehow spawns an instance of itself at the remote machine, and obviously that instance is not referred when I attempt to execute the rsync command via the script. rsync is not installed on the server, and I know it shouldn't be.
Now the question is, what can I do about it (except maybe installing rsync on the server...?)
ssh rsync
asked Jul 7 '11 at 18:54
MarkMark
62
add a comment |
I'm trying to validate rsync via sshd's authorized_keys file.
The problem is I can't manage to execute rsync from the validating script.
Here's my authorized_keys file:
command="/home/username/Desktop/valrsync username" ssh-rsa AAAA [...]
Here's the valrsync script attempted differently each time:
Test 1 -
$SSH_ORIGINAL_COMMAND
Output -
$ rsync [...] / username@remotemachine:/
/home/username/Desktop/valrsync: line 2: rsync: command not found
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(601) [sender=3.0.7]
And, more importantly, Test 2 -
#!/usr/bin/python
import os
os.system(os.getenv('SSH_ORIGINAL_COMMAND'))
Output (running rsync from the local machine and getting the output of valrsync on the remote machine) -
$ rsync [...] / username@remotemachine:/
sh: rsync: command not found
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(601) [sender=3.0.7]
I understand that rsync somehow spawns an instance of itself at the remote machine, and obviously that instance is not referred when I attempt to execute the rsync command via the script. rsync is not installed on the server, and I know it shouldn't be.
Now the question is, what can I do about it (except maybe installing rsync on the server...?)
ssh rsync
asked Jul 7 '11 at 18:54
MarkMark
62
I'm trying to validate rsync via sshd's authorized_keys file.
The problem is I can't manage to execute rsync from the validating script.
Here's my authorized_keys file:
command="/home/username/Desktop/valrsync username" ssh-rsa AAAA [...]
Here's the valrsync script attempted differently each time:
Test 1 -
$SSH_ORIGINAL_COMMAND
Output -
$ rsync [...] / username@remotemachine:/
/home/username/Desktop/valrsync: line 2: rsync: command not found
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(601) [sender=3.0.7]
And, more importantly, Test 2 -
#!/usr/bin/python
import os
os.system(os.getenv('SSH_ORIGINAL_COMMAND'))
Output (running rsync from the local machine and getting the output of valrsync on the remote machine) -
$ rsync [...] / username@remotemachine:/
sh: rsync: command not found
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(601) [sender=3.0.7]
I understand that rsync somehow spawns an instance of itself at the remote machine, and obviously that instance is not referred when I attempt to execute the rsync command via the script. rsync is not installed on the server, and I know it shouldn't be.
Now the question is, what can I do about it (except maybe installing rsync on the server...?)
ssh rsync
ssh rsync
asked Jul 7 '11 at 18:54
MarkMark
62
asked Jul 7 '11 at 18:54
MarkMark
62
asked Jul 7 '11 at 18:54
MarkMark
62
asked Jul 7 '11 at 18:54
MarkMark
62
asked Jul 7 '11 at 18:54
MarkMark
62
62
add a comment |
add a comment |
4 Answers
4
active
oldest
votes
The error you're receiving is rsync: command not found. This typically implies that your $PATH environment variable is not set correctly. Using your first test, explicitly set PATH to include the directory where the rsync command is installed. For example:
#!/bin/sh
PATH=/usr/local/bin:$PATH
export PATH
$SSH_ORIGINAL_COMMAND
Make sure to make the scrip executable (chmod 755 valrsync).
All this assumes that rsync is in fact installed on the target system.
answered Jul 7 '11 at 19:19
larskslarsks
35.1k593145
Thank you for your replay. Is the only way to solve this is to install rsync on the target machine?
– Mark
Jul 7 '11 at 20:20
2
Yes, you need to have rsync installed on both the source and destination machine. Rsync needs to run on both ends of the connection (because otherwise, what is rsync talking to?).
– larsks
Jul 7 '11 at 20:45
add a comment |
Ensure that you have rsync installed and in the PATH on both ends (client and server). The rsync client uses SSH to execute rsync on the remote (server) end. That's just how rsync works.
answered Feb 14 '14 at 18:21
RoubenRouben
894710
add a comment |
A better method than writing a homebrew script would be to use rrsync, which on Debian-based distros you should already have installed alongside rsync in /usr/share/doc/rsync/scripts/rrsync.gz. In that case simply run the following command to unpack the gzipped script into /usr/bin/rrsync:
gunzip /usr/share/doc/rsync/scripts/rrsync.gz -c|sudo tee^Cusr/bin/rrsync && sudo chmod +x /usr/bin/rrsync
(when already running as root you can obviously leave off the sudo invocations)
Alternatively download rrsync here.
Reminder: having rsync installed on the remote machine (the one with the authorized_keys file) is a prerequisite here.
Once that's done you can simply prepend a command= in front of a line with a public key, invoking rrsync.
Usually you would include some restrictive SSH options along with the command=, so it might look like this:
command="/usr/bin/rrsync -wo /data/backup/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ecdsa-sha2-nistp521 AAAAE...
By giving that directory (you can use -ro for read-only and -wo for write-only) you can leave off the directory on the rsync invocation.
So your command line would become rsync [...] / username@remotemachine: (mind the missing path after the :).
answered Jun 8 '18 at 21:22
0xC0000022L0xC0000022L
93921536
add a comment |
[Disclosure: I wrote sshdo which is described below]
As mentioned above, rrsync can be used to control what rsync can do over ssh but, like most uses of ssh forced commands, it's limited to a single rsync command per authorized key.
A better way to control what rsync can do over ssh is to use a generic command whitelisting control for ssh.
There's a program called sshdo for doing this. It controls which commands may be executed via incoming ssh connections. It's available for download at:
http://raf.org/sshdo/ (read manual pages here)
https://github.com/raforg/sshdo/
It has a training mode to allow all commands that are attempted, and a --learn option to produce the configuration needed to allow learned commands permanently. Then training mode can be turned off and any other commands will not be executed.
It also has an --unlearn option to stop allowing commands that are no longer in use so as to maintain strict least privilege as requirements change over time.
It is very fussy about what it allows. It won't allow a command with any arguments. Only complete shell commands can be allowed.
But it does support simple patterns to represent similar commands that vary only in the digits that appear on the command line (e.g. sequence numbers or date/time stamps).
It's like a firewall or whitelisting control for ssh commands.
answered 7 mins ago
rafraf
1
New contributor
raf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
This is nearly identical to your previous answer even though the questions are quite different. Perhaps review the promotion policy and in particular the passage about solving a specific problem.
– tripleee
3 mins ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f288022%2fvalidating-rsync-via-ssh-authorized-keys-command%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
The error you're receiving is rsync: command not found. This typically implies that your $PATH environment variable is not set correctly. Using your first test, explicitly set PATH to include the directory where the rsync command is installed. For example:
#!/bin/sh
PATH=/usr/local/bin:$PATH
export PATH
$SSH_ORIGINAL_COMMAND
Make sure to make the scrip executable (chmod 755 valrsync).
All this assumes that rsync is in fact installed on the target system.
answered Jul 7 '11 at 19:19
larskslarsks
35.1k593145
Thank you for your replay. Is the only way to solve this is to install rsync on the target machine?
– Mark
Jul 7 '11 at 20:20
2
Yes, you need to have rsync installed on both the source and destination machine. Rsync needs to run on both ends of the connection (because otherwise, what is rsync talking to?).
– larsks
Jul 7 '11 at 20:45
add a comment |
The error you're receiving is rsync: command not found. This typically implies that your $PATH environment variable is not set correctly. Using your first test, explicitly set PATH to include the directory where the rsync command is installed. For example:
#!/bin/sh
PATH=/usr/local/bin:$PATH
export PATH
$SSH_ORIGINAL_COMMAND
Make sure to make the scrip executable (chmod 755 valrsync).
All this assumes that rsync is in fact installed on the target system.
answered Jul 7 '11 at 19:19
larskslarsks
35.1k593145
Thank you for your replay. Is the only way to solve this is to install rsync on the target machine?
– Mark
Jul 7 '11 at 20:20
2
Yes, you need to have rsync installed on both the source and destination machine. Rsync needs to run on both ends of the connection (because otherwise, what is rsync talking to?).
– larsks
Jul 7 '11 at 20:45
add a comment |
The error you're receiving is rsync: command not found. This typically implies that your $PATH environment variable is not set correctly. Using your first test, explicitly set PATH to include the directory where the rsync command is installed. For example:
#!/bin/sh
PATH=/usr/local/bin:$PATH
export PATH
$SSH_ORIGINAL_COMMAND
Make sure to make the scrip executable (chmod 755 valrsync).
All this assumes that rsync is in fact installed on the target system.
answered Jul 7 '11 at 19:19
larskslarsks
35.1k593145
The error you're receiving is rsync: command not found. This typically implies that your $PATH environment variable is not set correctly. Using your first test, explicitly set PATH to include the directory where the rsync command is installed. For example:
#!/bin/sh
PATH=/usr/local/bin:$PATH
export PATH
$SSH_ORIGINAL_COMMAND
Make sure to make the scrip executable (chmod 755 valrsync).
All this assumes that rsync is in fact installed on the target system.
answered Jul 7 '11 at 19:19
larskslarsks
35.1k593145
answered Jul 7 '11 at 19:19
larskslarsks
35.1k593145
answered Jul 7 '11 at 19:19
larskslarsks
35.1k593145
answered Jul 7 '11 at 19:19
larskslarsks
35.1k593145
35.1k593145
Thank you for your replay. Is the only way to solve this is to install rsync on the target machine?
– Mark
Jul 7 '11 at 20:20
2
Yes, you need to have rsync installed on both the source and destination machine. Rsync needs to run on both ends of the connection (because otherwise, what is rsync talking to?).
– larsks
Jul 7 '11 at 20:45
add a comment |
Thank you for your replay. Is the only way to solve this is to install rsync on the target machine?
– Mark
Jul 7 '11 at 20:20
2
Yes, you need to have rsync installed on both the source and destination machine. Rsync needs to run on both ends of the connection (because otherwise, what is rsync talking to?).
– larsks
Jul 7 '11 at 20:45
Thank you for your replay. Is the only way to solve this is to install rsync on the target machine?
– Mark
Jul 7 '11 at 20:20
Thank you for your replay. Is the only way to solve this is to install rsync on the target machine?
– Mark
Jul 7 '11 at 20:20
2
2
Yes, you need to have rsync installed on both the source and destination machine. Rsync needs to run on both ends of the connection (because otherwise, what is rsync talking to?).
– larsks
Jul 7 '11 at 20:45
Yes, you need to have rsync installed on both the source and destination machine. Rsync needs to run on both ends of the connection (because otherwise, what is rsync talking to?).
– larsks
Jul 7 '11 at 20:45
add a comment |
Ensure that you have rsync installed and in the PATH on both ends (client and server). The rsync client uses SSH to execute rsync on the remote (server) end. That's just how rsync works.
answered Feb 14 '14 at 18:21
RoubenRouben
894710
add a comment |
Ensure that you have rsync installed and in the PATH on both ends (client and server). The rsync client uses SSH to execute rsync on the remote (server) end. That's just how rsync works.
answered Feb 14 '14 at 18:21
RoubenRouben
894710
add a comment |
Ensure that you have rsync installed and in the PATH on both ends (client and server). The rsync client uses SSH to execute rsync on the remote (server) end. That's just how rsync works.
answered Feb 14 '14 at 18:21
RoubenRouben
894710
Ensure that you have rsync installed and in the PATH on both ends (client and server). The rsync client uses SSH to execute rsync on the remote (server) end. That's just how rsync works.
answered Feb 14 '14 at 18:21
RoubenRouben
894710
answered Feb 14 '14 at 18:21
RoubenRouben
894710
answered Feb 14 '14 at 18:21
RoubenRouben
894710
answered Feb 14 '14 at 18:21
RoubenRouben
894710
894710
add a comment |
add a comment |
A better method than writing a homebrew script would be to use rrsync, which on Debian-based distros you should already have installed alongside rsync in /usr/share/doc/rsync/scripts/rrsync.gz. In that case simply run the following command to unpack the gzipped script into /usr/bin/rrsync:
gunzip /usr/share/doc/rsync/scripts/rrsync.gz -c|sudo tee^Cusr/bin/rrsync && sudo chmod +x /usr/bin/rrsync
(when already running as root you can obviously leave off the sudo invocations)
Alternatively download rrsync here.
Reminder: having rsync installed on the remote machine (the one with the authorized_keys file) is a prerequisite here.
Once that's done you can simply prepend a command= in front of a line with a public key, invoking rrsync.
Usually you would include some restrictive SSH options along with the command=, so it might look like this:
command="/usr/bin/rrsync -wo /data/backup/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ecdsa-sha2-nistp521 AAAAE...
By giving that directory (you can use -ro for read-only and -wo for write-only) you can leave off the directory on the rsync invocation.
So your command line would become rsync [...] / username@remotemachine: (mind the missing path after the :).
answered Jun 8 '18 at 21:22
0xC0000022L0xC0000022L
93921536
add a comment |
A better method than writing a homebrew script would be to use rrsync, which on Debian-based distros you should already have installed alongside rsync in /usr/share/doc/rsync/scripts/rrsync.gz. In that case simply run the following command to unpack the gzipped script into /usr/bin/rrsync:
gunzip /usr/share/doc/rsync/scripts/rrsync.gz -c|sudo tee^Cusr/bin/rrsync && sudo chmod +x /usr/bin/rrsync
(when already running as root you can obviously leave off the sudo invocations)
Alternatively download rrsync here.
Reminder: having rsync installed on the remote machine (the one with the authorized_keys file) is a prerequisite here.
Once that's done you can simply prepend a command= in front of a line with a public key, invoking rrsync.
Usually you would include some restrictive SSH options along with the command=, so it might look like this:
command="/usr/bin/rrsync -wo /data/backup/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ecdsa-sha2-nistp521 AAAAE...
By giving that directory (you can use -ro for read-only and -wo for write-only) you can leave off the directory on the rsync invocation.
So your command line would become rsync [...] / username@remotemachine: (mind the missing path after the :).
answered Jun 8 '18 at 21:22
0xC0000022L0xC0000022L
93921536
add a comment |
A better method than writing a homebrew script would be to use rrsync, which on Debian-based distros you should already have installed alongside rsync in /usr/share/doc/rsync/scripts/rrsync.gz. In that case simply run the following command to unpack the gzipped script into /usr/bin/rrsync:
gunzip /usr/share/doc/rsync/scripts/rrsync.gz -c|sudo tee^Cusr/bin/rrsync && sudo chmod +x /usr/bin/rrsync
(when already running as root you can obviously leave off the sudo invocations)
Alternatively download rrsync here.
Reminder: having rsync installed on the remote machine (the one with the authorized_keys file) is a prerequisite here.
Once that's done you can simply prepend a command= in front of a line with a public key, invoking rrsync.
Usually you would include some restrictive SSH options along with the command=, so it might look like this:
command="/usr/bin/rrsync -wo /data/backup/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ecdsa-sha2-nistp521 AAAAE...
By giving that directory (you can use -ro for read-only and -wo for write-only) you can leave off the directory on the rsync invocation.
So your command line would become rsync [...] / username@remotemachine: (mind the missing path after the :).
answered Jun 8 '18 at 21:22
0xC0000022L0xC0000022L
93921536
A better method than writing a homebrew script would be to use rrsync, which on Debian-based distros you should already have installed alongside rsync in /usr/share/doc/rsync/scripts/rrsync.gz. In that case simply run the following command to unpack the gzipped script into /usr/bin/rrsync:
gunzip /usr/share/doc/rsync/scripts/rrsync.gz -c|sudo tee^Cusr/bin/rrsync && sudo chmod +x /usr/bin/rrsync
(when already running as root you can obviously leave off the sudo invocations)
Alternatively download rrsync here.
Reminder: having rsync installed on the remote machine (the one with the authorized_keys file) is a prerequisite here.
Once that's done you can simply prepend a command= in front of a line with a public key, invoking rrsync.
Usually you would include some restrictive SSH options along with the command=, so it might look like this:
command="/usr/bin/rrsync -wo /data/backup/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ecdsa-sha2-nistp521 AAAAE...
By giving that directory (you can use -ro for read-only and -wo for write-only) you can leave off the directory on the rsync invocation.
So your command line would become rsync [...] / username@remotemachine: (mind the missing path after the :).
answered Jun 8 '18 at 21:22
0xC0000022L0xC0000022L
93921536
answered Jun 8 '18 at 21:22
0xC0000022L0xC0000022L
93921536
answered Jun 8 '18 at 21:22
0xC0000022L0xC0000022L
93921536
answered Jun 8 '18 at 21:22
0xC0000022L0xC0000022L
93921536
93921536
add a comment |
add a comment |
[Disclosure: I wrote sshdo which is described below]
As mentioned above, rrsync can be used to control what rsync can do over ssh but, like most uses of ssh forced commands, it's limited to a single rsync command per authorized key.
A better way to control what rsync can do over ssh is to use a generic command whitelisting control for ssh.
There's a program called sshdo for doing this. It controls which commands may be executed via incoming ssh connections. It's available for download at:
http://raf.org/sshdo/ (read manual pages here)
https://github.com/raforg/sshdo/
It has a training mode to allow all commands that are attempted, and a --learn option to produce the configuration needed to allow learned commands permanently. Then training mode can be turned off and any other commands will not be executed.
It also has an --unlearn option to stop allowing commands that are no longer in use so as to maintain strict least privilege as requirements change over time.
It is very fussy about what it allows. It won't allow a command with any arguments. Only complete shell commands can be allowed.
But it does support simple patterns to represent similar commands that vary only in the digits that appear on the command line (e.g. sequence numbers or date/time stamps).
It's like a firewall or whitelisting control for ssh commands.
answered 7 mins ago
rafraf
1
New contributor
raf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
This is nearly identical to your previous answer even though the questions are quite different. Perhaps review the promotion policy and in particular the passage about solving a specific problem.
– tripleee
3 mins ago
add a comment |
[Disclosure: I wrote sshdo which is described below]
As mentioned above, rrsync can be used to control what rsync can do over ssh but, like most uses of ssh forced commands, it's limited to a single rsync command per authorized key.
A better way to control what rsync can do over ssh is to use a generic command whitelisting control for ssh.
There's a program called sshdo for doing this. It controls which commands may be executed via incoming ssh connections. It's available for download at:
http://raf.org/sshdo/ (read manual pages here)
https://github.com/raforg/sshdo/
It has a training mode to allow all commands that are attempted, and a --learn option to produce the configuration needed to allow learned commands permanently. Then training mode can be turned off and any other commands will not be executed.
It also has an --unlearn option to stop allowing commands that are no longer in use so as to maintain strict least privilege as requirements change over time.
It is very fussy about what it allows. It won't allow a command with any arguments. Only complete shell commands can be allowed.
But it does support simple patterns to represent similar commands that vary only in the digits that appear on the command line (e.g. sequence numbers or date/time stamps).
It's like a firewall or whitelisting control for ssh commands.
answered 7 mins ago
rafraf
1
New contributor
raf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
This is nearly identical to your previous answer even though the questions are quite different. Perhaps review the promotion policy and in particular the passage about solving a specific problem.
– tripleee
3 mins ago
add a comment |
[Disclosure: I wrote sshdo which is described below]
As mentioned above, rrsync can be used to control what rsync can do over ssh but, like most uses of ssh forced commands, it's limited to a single rsync command per authorized key.
A better way to control what rsync can do over ssh is to use a generic command whitelisting control for ssh.
There's a program called sshdo for doing this. It controls which commands may be executed via incoming ssh connections. It's available for download at:
http://raf.org/sshdo/ (read manual pages here)
https://github.com/raforg/sshdo/
It has a training mode to allow all commands that are attempted, and a --learn option to produce the configuration needed to allow learned commands permanently. Then training mode can be turned off and any other commands will not be executed.
It also has an --unlearn option to stop allowing commands that are no longer in use so as to maintain strict least privilege as requirements change over time.
It is very fussy about what it allows. It won't allow a command with any arguments. Only complete shell commands can be allowed.
But it does support simple patterns to represent similar commands that vary only in the digits that appear on the command line (e.g. sequence numbers or date/time stamps).
It's like a firewall or whitelisting control for ssh commands.
answered 7 mins ago
rafraf
1
New contributor
raf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
[Disclosure: I wrote sshdo which is described below]
As mentioned above, rrsync can be used to control what rsync can do over ssh but, like most uses of ssh forced commands, it's limited to a single rsync command per authorized key.
A better way to control what rsync can do over ssh is to use a generic command whitelisting control for ssh.
There's a program called sshdo for doing this. It controls which commands may be executed via incoming ssh connections. It's available for download at:
http://raf.org/sshdo/ (read manual pages here)
https://github.com/raforg/sshdo/
It has a training mode to allow all commands that are attempted, and a --learn option to produce the configuration needed to allow learned commands permanently. Then training mode can be turned off and any other commands will not be executed.
It also has an --unlearn option to stop allowing commands that are no longer in use so as to maintain strict least privilege as requirements change over time.
It is very fussy about what it allows. It won't allow a command with any arguments. Only complete shell commands can be allowed.
But it does support simple patterns to represent similar commands that vary only in the digits that appear on the command line (e.g. sequence numbers or date/time stamps).
It's like a firewall or whitelisting control for ssh commands.
answered 7 mins ago
rafraf
1
New contributor
raf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 7 mins ago
rafraf
1
New contributor
raf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 7 mins ago
rafraf
1
answered 7 mins ago
rafraf
1
1
New contributor
raf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
raf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
raf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
This is nearly identical to your previous answer even though the questions are quite different. Perhaps review the promotion policy and in particular the passage about solving a specific problem.
– tripleee
3 mins ago
add a comment |
This is nearly identical to your previous answer even though the questions are quite different. Perhaps review the promotion policy and in particular the passage about solving a specific problem.
– tripleee
3 mins ago
This is nearly identical to your previous answer even though the questions are quite different. Perhaps review the promotion policy and in particular the passage about solving a specific problem.
– tripleee
3 mins ago
This is nearly identical to your previous answer even though the questions are quite different. Perhaps review the promotion policy and in particular the passage about solving a specific problem.
– tripleee
3 mins ago
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f288022%2fvalidating-rsync-via-ssh-authorized-keys-command%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
