For the first time ever I wanted to make an rsync script to back up a couple of remote servers, restricting the commands by the use of a key. I wanted to restrict the commands that could be run with that key in case of compromise, since there needs to be no passphrase on the key. I'm not going to explain the theory or most of the commands, since you (I) already know.
Doing some googling, I found this which was pretty close, but I wanted it here (so I could find it again) and with fewer words. I ripped off the validatersync.sh script wholesale:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | |
There's probably some holes in it, but it's close enough for government work. Then, add to authorized_keys:
from="hostname",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="/path/tovalidatersync.sh" thebackupkey
And a sample backup script:
1 2 3 4 5 6 7 | |
Call that in cron and you (I) should be good to go.
ETA: you might get "protocol mismatch" errors from rsync. TFM will tell you it's because there's output from your shell. TFM might be wrong. I'm still getting this error from one host I'm doing this with, but not the other. Since both are FreeBSD 8.4 machines, I'm somewhat mystified. Anyway, this might be enough to get started.