I'm trying to set up rsync to copy the data from a server every day. In order to make the system as restricted as possible, I'm trying to use the mode described in the man page as: "USING RSYNC-DAEMON FEATURES VIA A REMOTE-SHELL CONNECTION"
So I've put a file called rsyncd.conf in roots home folder:
[root]
path = /
read only = true
and tried to copy /etc/passwd over as a test:
rsync -vv -e ssh myserver::root/etc/passwd .
But I get the following:
opening connection using: ssh myserver rsync --server --daemon .
rsync: connection unexpectedly closed (0 bytes received so far) [receiver]
rsync error: error in rsync protocol data stream (code 12) at io.c(635) [receiver=3.0.3]
The reason I am doing all this is that once I get it working, I plan to restrict access by specifying the command
rsync --server --daemon .
in ~/.ssh/authorized_keys
There seems to be a bug in the documentation or the implimentation of rsync. man rsync says:
but when connecting to root, according to /var/log/messages, it was looking in /etc/rsyncd.conf for the config file (the standard location for an rsyncd.conf file when not used over SSH.
I had to force the ssh server to use the right config file by adding
to /root/.ssh/authorized_keys.
The reason I didn't just put the config in the default location is that I didn't want someone to accidentally start a normal rsync daemon - I only want a daemon to have this much access when it has got the correct ssh key.
rsync in daemon mode isn't what I would suggest if you want to lock it down tight as possible. You want to restrict the command that an SSH key is allowed to run and invoke the copy command using that key.
To find out what command to restrict the key to, run the appropriate rsync command line with a slight modification in the ssh command:
You will see a line in the debug output such as:
That exact command is what you want to restrict the key to be able to run in .ssh/authorized_keys: