How should ForceCommand be configured in order to allow the backup user to execute any rsync command? With ForceCommand set to /usr/bin/rsync I receive the error below: connection unexpectedly closed...
/etc/ssh/sshd_config on remote server hosting the files to be copied from:
Match User backup
PasswordAuthentication no
PubkeyAuthentication yes
AllowTCPForwarding no
X11Forwarding no
ForceCommand /usr/bin/rsync
rsync command running on the local server doing the copying from the remote server:
rsync -avzh --progress [email protected]:/opt/backups/automatic/cron/mysql/ /tmp/.
rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]
rsync error: error in rsync protocol data stream (code 12) at io.c(601) [Receiver=3.0.7]
If I configure ForceCommand to the exact rsync command such as the one below I am able to remotely rsync successfully as the backup user but for this project I don't want to have to use the full exact command as below:
ForceCommand /usr/bin/rsync --server --sender -vlwkDonecf.iLew . /opt/backups/automatic/cron/mysql/
If I configure ForceCommand to use a script such as the one below I am able to remotely rsync successfully. I'm curious why this works and /usr/bin/rsync doesn't?
Match User backup
PasswordAuthentication no
PubkeyAuthentication yes
AllowTCPForwarding no
X11Forwarding no
ForceCommand /home/backup/cron/validate-rsync
The validate-rsync script:
#!/bin/sh
#script to validate rsync
#script source: http://troy.jdmz.net/rsync/#validate-rsync
case "$SSH_ORIGINAL_COMMAND" in
*\&*)
echo "Rejected"
;;
*\(*)
echo "Rejected"
;;
*\{*)
echo "Rejected"
;;
*\;*)
echo "Rejected"
;;
*\<*)
echo "Rejected"
;;
*\`*)
echo "Rejected"
;;
*\|*)
echo "Rejected"
;;
rsync\ --server*)
$SSH_ORIGINAL_COMMAND
;;
*)
echo "Rejected"
;;
esac
My primary question is why doesn't ForceCommand /usr/bin/rsync work?
I'm also curious about the best way(s) to do this. I can't chroot the backup user because I'm copying from several different folders. I don't really want to have to use the full exact rsync --server --client etc. command because I'm copying several different folders and that seems excessive. I'm curious about the simplest/best way(s) to restrict the backup user to rsync.
The
ForceCommandoption is meant to be used with a command that specifically understands that it's acting as an SSH gatekeeper. The original command is placed in theSSH_ORIGINAL_COMMANDenvironment variable.The why is easy...
ForceCommanddoes exactly what it says: You connect, it forces you to run that command no matter what you actually wanted to do. In this case, that command is/usr/bin/rsyncwith no flags.rsyncworks by running another copy ofrsyncon the other side of the connection and talking to it over ssh. In this case though, it's unable to start the other side with the flags it needs because the command is replaced by/usr/bin/rsyncYour rsync-validate script is probably the best way to go about this. It checks the request to make sure it is a valid rsync server command, and only then does it run it.
rsyncprobably could be modified to check the $SSH_ORIGINAL_COMMAND directly when its run without arguments, but there's probably a good security reason not to do so.I don't think you can have
ForceCommandwork with any rsync command, but you can make it work with one. From the client, you can run:To get the serverside command. You'll see it in the verbose output after the key exchange but before the copying starts:
And then you can add that to your
ForceCommand:source: Sakana.fr: Securing automated rsync over SSH