How to perform a secure rsync between servers across an unsecured network

ssh security rsync tar copy

Basically what I'm asking is, has anyone come across a means by which to wrap rsync inside ssh.

With OpenSSH v4.9+ sftp has some nice options that allow you to chroot the incoming connection and such - and that's a solution that I would look at, however I'm stuck with RHEL, and neither RHEL4 or RHEL5 are upto that version of ssh.

My current solution is to add something like this to the server-side using the client user's key...

server% cat ~/.ssh/authorized_keys
command="cd /srv/rsync/etl && tar --exclude './lost+found' -pcf - ./" ssh-rsa...

...and so the client would then be restricted to one thing and one thing only...

client% ssh -T -i ${HOME}/.ssh/id_rsa [email protected] > sensative.tar

This secures the connection, as well as the server (from the client), however is inefficient as all files will be retrieved over and over again.

I'm after doing something similar (or just better) using rsync.


Solution 1:

Rsync supports using ssh as a transport

rsync -az /path/to/source username@host:/path/to/destination

some older versions of rsync require you to specify ssh explicitly

rsync -aze ssh /path/to/source host:/path/to/destination

An alternative to using rsync is B. C. Pierce's Unison, which has similar functionality to rsync, but keeps a local index at both ends to avoid having to walk the filesystem to calculate the deltas

Solution 2:

Okay I finally figured this out, but the solution is not as elegant as I had hoped for.

One the server side, you need to add the following to the authorized_keys file for the relevant user...

no-pty, command="exit"

On the client, you can then create a tunnel as follows...

ssh -l username -fNTL 8073:server:873

Once the tunnel is establised, you can rsync as per usual - using the double-colon syntax is not possible - to localhost.

The localhost port number you select (8073) are entirely optional obviously, just remember that that's what you have to rsync to...

rsync --port=8073 -a user@localhost::mySecureStore /srv/some/place/

Solution 3:

You might be interested in daemon-over-ssh-mode, which is the subject of this question:

Can't get rsync to work in daemon-over-ssh mode

Related

How can I safely use storage thin provisioning?
Can a VMWare Server 2.0 virtual machine be "unvirtualized" to physical hardware?
LDAP Structure: dc=example,dc=com vs o=Example
Using PGP keys for SSH
Long list of if statements in Java
Are typedef and #define the same in c?
Communication between Android Java and Phonegap Javascript?
FloatingActionButton example with Support Library
Android studio, gradle and NDK
Cache an HTTP 'Get' service response in AngularJS?
Understanding the meaning of the term and the concept - RAII (Resource Acquisition is Initialization)
Automatically create an Enum based on values in a database lookup table?