From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QuSg8-0007Pp-TF for garchives@archives.gentoo.org; Fri, 19 Aug 2011 17:16:21 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4E6F421C127; Fri, 19 Aug 2011 17:16:07 +0000 (UTC) Received: from mail2.viabit.com (mail2.viabit.com [65.246.80.16]) by pigeon.gentoo.org (Postfix) with ESMTP id 3B00521C0EF for ; Fri, 19 Aug 2011 17:14:31 +0000 (UTC) Received: from [10.1.1.204] (unknown [65.213.236.244]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail2.viabit.com (Postfix) with ESMTPSA id D5EF937ADD for ; Fri, 19 Aug 2011 13:14:30 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=orlitzky.com; s=mail2; t=1313774070; bh=xF4I1qlTk24QWNG0hxcuwbvgLmw+hfHQJMnpgTDaO0E=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=RhMnWEV56jki0+NvzNRB92CPyVeuW7SdSKtz4S4keONSsYDg9+keNNGth3FPXp7hG kG1iGjYh4TawGVX1s2htGIt613UUbMMlELpUV2FeTeIRhHZ9twAqRjdOsw4p3kp0m0 mxV7bBUs2/H32kSRJLJnba/MKrn03hffwByCsqYo= Message-ID: <4E4E99F6.2020002@orlitzky.com> Date: Fri, 19 Aug 2011 13:14:30 -0400 From: Michael Orlitzky User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110715 Lightning/1.0b3pre Thunderbird/3.1.10 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] {OT} rdiff-backup: push or pull? References: <54732072.QyOj10dyxT@eve> <2835390.opqSYxfPPv@eve> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: X-Archives-Hash: 78295f090305cf0a43de238da11ab44c On 08/17/11 13:35, Grant wrote: >>> Is there a way to >>> restrict SSH keys to the rsync command? >> >> Yes, via the "authorized_keys" file. you can add a "command" directive. this >> will always force that command to be executed whenever a connection is made >> using this key. > > I'm using the command directive with rdiff-backup like > command="rdiff-backup --server" but I can't figure out the rsync > command to specify. Is anyone restricting an SSK key to rsync with > the command directive? > We're doing the same thing for our backups. Here's that chunk of our documentation, if it's helpful. === rdiff-backup Client === ==== Creating the Remote User ==== First, create a new system user on the backup server. Log in (as root), and run, useradd -d /home/ -m The ''-d'' parameter sets the home directory, and ''-m'' creates it automatically. The rdiff-backup program uses SSH to synchronize the local and remote filesystems. As a result, non-interactive operation requires a server/client certificate pair. Furthermore, we cannot prevent shell logins for our new user account. Give it a reasonably-complex password. You'll only need to type it twice: passwd ==== Installing rdiff-backup ==== First things first; install rdiff-backup on the client. In Gentoo, all this requires is the following, emerge rdiff-backup If that works, go ahead and continue. ==== Setting up SSH Authentication ==== For now, we're done on the backup server. Log in to the client server (the one to be backed up) as root. We need to generate an SSH key pair: ssh-keygen Name the file something informative when asked. '''Do not create a password for the key file.''' For example, your private key for might be named ~/.ssh/_rsa. Now, copy the public key, e.g. ~/.ssh/_rsa.pub to the backup server using the user that we created earlier. scp ~/.ssh/ @:~/ And add a section to the local ~/.ssh/config file which corresponds to the backup server. This forces the local machine to authenticate to the backup server using its key rather than a password. 
Host 
   Hostname 
   IdentityFile ~/.ssh/
   IdentitiesOnly yes
Now, ssh into the backup server as your new user. Our goal is to add this key as "trusted," allowing anyone with the corresponding key to connect as this user. On the backup server (as our new user), execute, cat >> ~/.ssh/authorized_keys rm and add the following to the authorized_keys file manually. Add it at the beginning of the line for the new public key. command="/usr/bin/rdiff-backup --server",no-pty,no-port-forwarding This will restrict the user with this public key to executing only the rdiff-server command.