Debian: SSH: "PermitRootLogin=forced-commands-only" stopped working

ssh linux debian

"PermitRootLogin forced-commands-only" requires that all connections, via SSH as root, need to use public key authentication and that a command be associated with that key (like 'validate-rsync').

If you want to login as root but only with keys use:

PermitRootLogin = without-password

To restrict rsync to a defined ssh-key you can specify in your authorized_keys:

from="<ip>",command="/usr/local/sbin/validate-rsync" ssh-dss AAAAZ5Hbl......

And save this wrapper to: /usr/local/sbin/validate-rsync

#!/bin/sh 

case "$SSH_ORIGINAL_COMMAND" in 
*\&*) 
echo "Rejected" 
;; 
*\(*) 
echo "Rejected" 
;; 
*\{*) 
echo "Rejected" 
;; 
*\;*) 
echo "Rejected" 
;; 
*\<*) 
echo "Rejected" 
;; 
*\`*) 
echo "Rejected" 
;; 
*\|*) 
echo "Rejected" 
;; 
rsync\ --server*) 
$SSH_ORIGINAL_COMMAND 
;; 
*) 
echo "Rejected" 
;; 
esac

There is a slightly more complicated script shipped with rsync to do the same, http://www.samba.org/ftp/unpacked/rsync/support/rrsync

Related

LDAP (slapd) creating users with access to specific trees
SysAdmin Career Query: Internal or Client Based [closed]
IPv6 can I use a link local address as my default Gateway?
How to you create a wildcard DNS entry in Mac OS X 10.6 Server DNS GUI?
Nginx: Rewrite rule for subfolder
Is Apache stalled? /server-status shows over 240 requests like "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
How can I get access to password hashing in postgresql? Tried installing postgresql-contrib in ubuntu, still can't access hashing functions
User name by SID?
If I re-key a SSL certificate for a 2nd/backup server, does the original still work?
Accessing localhost on IIS7 from another computer on the network
Using 'in' to match an attribute of Python objects in an array
Open a file in Visual Studio at a specific line number