Automated rsync backups with ssh key restrictions

For the first time ever I wanted to make an rsync script to back up a couple of remote servers, restricting the commands by the use of a key. I wanted to restrict the commands that could be run with that key in case of compromise, since there needs to be no passphrase on the key. I’m not going to explain the theory or most of the commands, since you (I) already know.

Doing some googling, I found this which was pretty close, but I wanted it here (so I could find it again) and with fewer words. I ripped off the validatersync.sh script wholesale:

#!/bin/sh

case "$SSH_ORIGINAL_COMMAND" in
*\&*)
echo "Rejected"
;;
*\(*)
echo "Rejected"
;;
*\{*)
echo "Rejected"
;;
*\;*)
echo "Rejected"
;;
*\<*)
echo "Rejected"
;;
*\`*)
echo "Rejected"
;;
*\|*)
echo "Rejected"
;;
rsync\ --server*)
$SSH_ORIGINAL_COMMAND
;;
*)
echo "Rejected"
;;
esac

There’s probably some holes in it, but it’s close enough for government work. Then, add to authorized_keys:

from="hostname",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="/path/tovalidatersync.sh" thebackupkey

And a sample backup script:

#!/bin/bash
LOGF=/path/to/LogFile
MYD=`date`
echo "Starting rsync at ${MYD}" >> ${LOGF}
/usr/bin/rsync -q -a --delete -e "ssh -i /the/.ssh/backup_key" userid@remote:/home/asdf/ asdf/
MYD=`date`
echo "Finished at ${MYD}" >> ${LOGF}

Call that in cron and you (I) should be good to go.

ETA: you might get “protocol mismatch” errors from rsync. TFM will tell you it’s because there’s output from your shell. TFM might be wrong. I’m still getting this error from one host I’m doing this with, but not the other. Since both are FreeBSD 8.4 machines, I’m somewhat mystified. Anyway, this might be enough to get started.