Validating rsync via SSH authorized_keys command="..."

Solution 1:

The error you're receiving is rsync: command not found. This typically implies that your $PATH environment variable is not set correctly. Using your first test, explicitly set PATH to include the directory where the rsync command is installed. For example:

#!/bin/sh

PATH=/usr/local/bin:$PATH
export PATH

$SSH_ORIGINAL_COMMAND

Make sure to make the scrip executable (chmod 755 valrsync).

All this assumes that rsync is in fact installed on the target system.

Solution 2:

A better method than writing a homebrew script would be to use rrsync, which on Debian-based distros you should already have installed alongside rsync in /usr/share/doc/rsync/scripts/rrsync.gz. In that case simply run the following command to unpack the gzipped script into /usr/bin/rrsync:

gunzip /usr/share/doc/rsync/scripts/rrsync.gz -c|sudo tee^Cusr/bin/rrsync && sudo chmod +x /usr/bin/rrsync

(when already running as root you can obviously leave off the sudo invocations)

Alternatively download rrsync here.

Reminder: having rsync installed on the remote machine (the one with the authorized_keys file) is a prerequisite here.

Once that's done you can simply prepend a command= in front of a line with a public key, invoking rrsync.

Usually you would include some restrictive SSH options along with the command=, so it might look like this:

command="/usr/bin/rrsync -wo /data/backup/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ecdsa-sha2-nistp521 AAAAE...

By giving that directory (you can use -ro for read-only and -wo for write-only) you can leave off the directory on the rsync invocation.

So your command line would become rsync [...] / username@remotemachine: (mind the missing path after the :).