How to perform a secure rsync between servers across an unsecured network
Basically what I'm asking is, has anyone come across a means by which to wrap rsync inside ssh.
With OpenSSH v4.9+ sftp has some nice options that allow you to chroot the incoming connection and such - and that's a solution that I would look at, however I'm stuck with RHEL, and neither RHEL4 or RHEL5 are upto that version of ssh.
My current solution is to add something like this to the server-side using the client user's key...
server% cat ~/.ssh/authorized_keys command="cd /srv/rsync/etl && tar --exclude './lost+found' -pcf - ./" ssh-rsa...
...and so the client would then be restricted to one thing and one thing only...
client% ssh -T -i ${HOME}/.ssh/id_rsa [email protected] > sensative.tar
This secures the connection, as well as the server (from the client), however is inefficient as all files will be retrieved over and over again.
I'm after doing something similar (or just better) using rsync.
Solution 1:
Rsync supports using ssh as a transport
rsync -az /path/to/source username@host:/path/to/destination
some older versions of rsync require you to specify ssh explicitly
rsync -aze ssh /path/to/source host:/path/to/destination
An alternative to using rsync is B. C. Pierce's Unison, which has similar functionality to rsync, but keeps a local index at both ends to avoid having to walk the filesystem to calculate the deltas
Solution 2:
Okay I finally figured this out, but the solution is not as elegant as I had hoped for.
One the server side, you need to add the following to the authorized_keys file for the relevant user...
no-pty, command="exit"
On the client, you can then create a tunnel as follows...
ssh -l username -fNTL 8073:server:873
Once the tunnel is establised, you can rsync as per usual - using the double-colon syntax is not possible - to localhost.
The localhost port number you select (8073) are entirely optional obviously, just remember that that's what you have to rsync to...
rsync --port=8073 -a user@localhost::mySecureStore /srv/some/place/
Solution 3:
You might be interested in daemon-over-ssh-mode, which is the subject of this question:
Can't get rsync to work in daemon-over-ssh mode