Comments on: Restriction de commande Rsync par SSH http://fr.positon.org/restriction-de-commande-rsync-par-ssh Tue, 15 Mar 2022 14:49:21 +0000 hourly 1 http://wordpress.org/?v=3.7.1 By: raf http://fr.positon.org/restriction-de-commande-rsync-par-ssh#comment-1639 Tue, 23 Apr 2019 08:21:33 +0000 http://positon.org:81/?p=108#comment-1639 [Disclosure: I wrote sshdo which is described below]

There’s a program for controlling which commands may be executed via incoming ssh. It’s called sshdo. It can be used to precisely control uses of rsync as well as other commands, all at the same time. It’s available for download at:

http://raf.org/sshdo/ (read manual pages here)
https://github.com/raforg/sshdo/

It has a training mode to allow all commands that are attempted, and a –learn option to produce the configuration needed to allow learned commands permanently. Then training mode can be turned off and any other commands will not be executed.

It also has an –unlearn option to stop allowing commands that are no longer in use so as to maintain strict least privilege as requirements change over time.

It is very fussy about what it allows. It won’t allow a command with any arguments. Only complete shell commands can be allowed.

But it does support simple patterns to represent similar commands that vary only in the digits that appear on the command line (e.g. sequence numbers or date/time stamps).

It’s like a firewall or whitelisting control for ssh commands.

]]> By: dooblem http://fr.positon.org/restriction-de-commande-rsync-par-ssh#comment-1628 Mon, 18 Feb 2019 20:03:27 +0000 http://positon.org:81/?p=108#comment-1628 Hello Tim,
rsync would be starded with the –sender option. With that how can it write any file on the server ?

Anyway, a better option now is to use rrsync

https://download.samba.org/pub/unpacked/rsync/support/rrsync

]]> By: Tim Riker http://fr.positon.org/restriction-de-commande-rsync-par-ssh#comment-1622 Fri, 15 Feb 2019 22:15:16 +0000 http://positon.org:81/?p=108#comment-1622 I would not recommend this approach. If you do this, then use remote user can rsync over a new .ssh/authorized_keys that removes the restrictions and have full shell access as root using that key.

Better to have the root user on the machine you want to backup, ssh as a non-root user to the machine you want the backups on and upload.

]]> By: Allow only rsync and not ssh from remote server – Barchive http://fr.positon.org/restriction-de-commande-rsync-par-ssh#comment-1601 Sat, 14 Jul 2018 18:43:40 +0000 http://positon.org:81/?p=108#comment-1601 […] http://positon.org/rsync-command-restriction-over-ssh […]

]]> By: David Goodwin http://fr.positon.org/restriction-de-commande-rsync-par-ssh#comment-1195 Thu, 21 May 2015 12:08:22 +0000 http://positon.org:81/?p=108#comment-1195 Thanks for the above – it was just what I needed.

(I didn’t know you could have a ‘from’ bit in authorized_keys).

]]> By: Shahzad http://fr.positon.org/restriction-de-commande-rsync-par-ssh#comment-151 Wed, 30 Jan 2013 18:07:35 +0000 http://positon.org:81/?p=108#comment-151 my user is no login, how can I use this for that user?
do I have to change my user setting on the server to be able to allow login?

]]>