Re: passwordless rsync?

On 05/28/2015 04:40 PM, Suvayu Ali wrote: > >I think the magic incantation for me was command="somecommand" is >actually the whole command, with all the arguments. From the man page, >this wasn't clear to me. I was trying to setup passwordless root login >with PermitRootLogin set to forced-commands-only for backups with >rsnapshot. Ah, yes, you have to put in the whole command and arguments. If you need spaces to separate arguments, then everything after the '=' has to be enclosed in quotes: command="somecommand -arg1 -arg2 -arg3" etc. You can put in multiple options, too: command="somecommand -arg1 -arg2 -arg3",from="*.mydomain.com" to restrict the user so they'd have to log in from hosts in the "mydomain.com" DNS domain and the only thing that'd happen if they did was have "somecommand" run automatically. They'd be disconnected immediately after "somecommand" completed.

>Btw, to allow multiple commands from the same host, I guess I should >have multiple lines for the same public key? Also, any ideas what >should be the command to allow rsnapshot backups? I guess I need to >figure out what are the arguments passed onto rsync by rsnapshot, and in >which order. AFAIK, you can only have one "command=" per line (or stanza) in the authorized_keys file for each user. Otherwise, how would the client specify which to run?

You might be able to do some fancy footwork using "Match" clauses in the /etc/ssh/sshd_config file, but I've never done anything more than simple matches (match on username or address patterns to put in some additional restrictions).