Limit ssh user to only use rsync

Rsync, ssh with authorized_keys

Let's say you want to backup some data on remote server.
Easiest option is to use rsync.
On the remote server you will need account so you can login and upload the data, but it would be good to limit this account to only touch data in specific dir and nothing more - no shell, no other locations.
Easiest way is to do it with ssh keys.

0. Add the user on the remote server. Do not set password so it can't login.
1. Generate the key:
$> ssh-keygen -t ed25519 -f rsync_key
2. Copy the .pub key to the server you will be syncing to.
3. Create ~/.ssh/authorized_keys on the remote server with the user that will be holding the data.
in the authorized_keys you must place a line with allowed command + limits and the key like so:

command="rsync --server -vlogDtprCze.iLsfxC --delete . /home/john/backup",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519 AAAA........

4. On the computer that you have private key and the data to backup, you can run the command:
$> rsync -e 'ssh -i rsync_key' -Cavz --delete /home/johncomp/Documents john@hostname:/home/john/backup

That's it.
User john can't execute anything else than the command specified for this key.


Trackback specific URI for this entry

This link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.

No Trackbacks


Display comments as Linear | Threaded

No comments

Add Comment

You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
To leave a comment you must approve it via e-mail, which will be sent to your address after submission.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.