On Thu, May 28, 2015 at 04:02:19PM -0700, Rick Stevens wrote:
On 05/28/2015 03:38 PM, Suvayu Ali wrote:
>Hi Alan,
>
>Please do not top post (please read the mailing list guidelines at the
>bottom of each message).
>
>On Thu, May 28, 2015 at 02:14:16PM -0700, Alan Evans wrote:
>>On Thu, May 28, 2015 at 1:59 PM, Dustin Kempter <dustink(a)consistentstate.com
>>>wrote:
>>
>>>Hi all, Ive been looking into a way to run rsync from server1 to server2
>>>using ssh-keys
>>>but not allowing the user from server 1 to login to server2 or to run any
>>>other commands
>>>only rsync. Ive seen a few postings of how to do it, where they add a
>>>command=“some command” line in the .ssh/authorized_keys file. But I can’t
>>>seem see the same result even when I copy and paste what they had. Any
>>>advice or help would
>>>be greatly appreciated.
>>
>>google "ssh-keygen". You will find things like:
>>http://www.linuxproblem.org/art_9.html and similar.
>
>I believe the OP already tried that. He mentions .ssh/authorized_keys
>in the email.
>
>Dustin, I have faced this problem too! For some reason the
>command='somecommand' trick does not work. I think some magic
>incantation is missing from the docs. I would also like to know the
>answer to this.
It absolutely works. The trick is that the ~username/.ssh/authorized_keys
file entries should look like:
command="ls -l /var" ssh-dss
AAAAB3NzaC1kc3MAAACBAJKaULZpo3CiH2Nep14S1IZ6mhc4UkSAX0oWdYNvjH9gRzrFAXNT/Ha0xSTu6ZxPdn8zfpLZiJXxy28aP4XtzwiTIaTPG0VuUUJA1R8VJKqzBi2AMXf1sG3q+5UmCsfKaE3Eb3+7kotOsThaWNvcKuMI12kB0L6e2DT4PCZDtK7rAAAAFQCfGok/B1rqLMi3Tm4IiqMWVUXh/QAAAIBxUWgS0N3ez5ohA86V/atkG3yKoi10r0kGUE6uzLEEOH8A+ftyRrMfkUm2EAKLH29u8Eaq6h7wwmtzDQsYrn8nBN6J6DimpOMmB4FnYwELVh2Dl8xcaNiQJJxeWdlUJO6imwvZskZI1LKfNhs4l40hx1vSDkoRI8BNIncXoUbz7QAAAIAv79gtfuKrlx9Ygr+t/Tj7YGP8z6wKYdA/3Of6LdIQ3N9r4p39WIkBPuOyC+UO7cO9/odo+yu+mCeJ8M0ABBcIGQdjx9LRVtin5QrETRZ7dKeUhSTnCvB1iVl0tXxH7aX5VTe0lmGawC3NXfwcsNy6ceGqHLyL9BiV9BbxQtp4KQ==
root(a)prophead.alldigital.net
I think the magic incantation for me was command="somecommand" is
actually the whole command, with all the arguments. From the man page,
this wasn't clear to me. I was trying to setup passwordless root login
with PermitRootLogin set to forced-commands-only for backups with
rsnapshot.
Btw, to allow multiple commands from the same host, I guess I should
have multiple lines for the same public key? Also, any ideas what
should be the command to allow rsnapshot backups? I guess I need to
figure out what are the arguments passed onto rsync by rsnapshot, and in
which order.
Thanks a lot Rick!
--
Suvayu
Open source is the future. It sets us free.